CVE-2024-13700 is a stored cross-site scripting (XSS) vulnerability identified in the Embed Swagger UI plugin for WordPress, developed by spanrig. The vulnerability exists in all versions up to and including 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'wpsgui' shortcode. This flaw allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript code into pages where the shortcode is used. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the risk remains significant due to the ease of exploitation by authenticated users. The vulnerability underscores the importance of proper input validation and output encoding in WordPress plugins, especially those that accept user input for page generation. Since the plugin is used to embed Swagger UI documentation, affected sites likely include development, API documentation, and testing environments. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

The primary impact of CVE-2024-13700 is the potential for attackers with contributor-level access to execute arbitrary JavaScript in the context of affected WordPress sites. This can lead to session hijacking, theft of sensitive information such as authentication tokens, defacement of website content, and unauthorized actions performed on behalf of legitimate users. The vulnerability compromises confidentiality and integrity but does not affect availability. Since contributor-level access is required, the attack surface is limited to sites that allow such user roles, which is common in collaborative WordPress environments. Exploitation can affect all users who visit the compromised pages, including administrators, increasing the risk of privilege escalation and further compromise. Organizations relying on this plugin for API documentation or developer portals may face reputational damage, data leakage, and potential regulatory compliance issues if user data is exposed. The absence of public exploits reduces immediate risk but does not eliminate the threat, especially in environments with multiple contributors or less stringent access controls.

To mitigate CVE-2024-13700, organizations should immediately update the Embed Swagger UI plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. Implement web application firewalls (WAF) with rules to detect and block suspicious script injections in shortcode attributes. Conduct regular audits of pages using the 'wpsgui' shortcode to identify and remove any injected scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. Educate contributors about secure input handling and the risks of injecting untrusted content. Additionally, consider disabling or removing the plugin if it is not essential to reduce the attack surface. Monitor logs and user activity for signs of exploitation attempts or unusual behavior related to shortcode usage. Finally, ensure that all WordPress core and plugins follow secure coding practices, including proper input validation and output encoding.