CVE-2024-13702 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin CRM and Lead Management by vcita in all versions up to and including 2.7.4. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of user-supplied attributes within the 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes. These shortcodes fail to adequately sanitize and escape input, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires no user interaction but does require the attacker to have authenticated access with contributor or higher privileges, which is a moderate barrier but common in collaborative WordPress environments. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with low confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability is published and known. The lack of patch links suggests that either a patch is pending or users must rely on manual mitigations or updates from the vendor. This vulnerability highlights the risks of insufficient input validation in CMS plugins, especially those handling dynamic content generation.

The impact of CVE-2024-13702 is significant for organizations using the affected vcita CRM and Lead Management plugin on WordPress sites. Successful exploitation allows authenticated contributors or higher to inject persistent malicious scripts, which execute in the context of other users visiting the infected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential spread of malware. Since contributors typically have content creation privileges, attackers can leverage this to escalate attacks within the site or target site administrators and visitors. The vulnerability affects confidentiality and integrity but not availability. In environments with multiple users or customers accessing the site, the risk of data compromise and reputational damage is elevated. Organizations relying on this plugin for customer relationship management and lead tracking may face operational disruptions if attackers manipulate or steal data. The medium severity rating indicates a moderate but actionable risk that should be addressed promptly to prevent exploitation, especially in high-traffic or sensitive WordPress deployments.

To mitigate CVE-2024-13702, organizations should: 1) Immediately update the CRM and Lead Management by vcita plugin to the latest version once a patch is released by the vendor. 2) Until a patch is available, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. 3) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injection patterns in shortcode attributes. 4) Conduct regular security audits and code reviews of user-generated content and shortcode usage to identify and remove injected scripts. 5) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6) Educate site administrators and contributors about the risks of XSS and safe content management practices. 7) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 8) Consider disabling or limiting the use of the vulnerable shortcodes if feasible until the vulnerability is resolved. These steps go beyond generic advice by focusing on access control, proactive detection, and layered defenses tailored to the plugin’s functionality.