CVE-2024-13704 is a stored cross-site scripting vulnerability identified in the Super Testimonials plugin for WordPress, developed by themepoints. This vulnerability affects all versions up to and including 4.0.1. The root cause is insufficient input sanitization and output escaping of the 'st_user_title' parameter, which is used to display user titles in testimonial entries. Because the plugin fails to properly neutralize script-related HTML tags, an unauthenticated attacker can inject arbitrary JavaScript code into the testimonial content. When any user accesses a page containing the injected testimonial, the malicious script executes in their browser context. This can lead to theft of session cookies, user impersonation, or unauthorized actions performed with the victim's privileges. The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a common XSS category. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change due to impact on other components. While no public exploits have been observed, the vulnerability's characteristics make it a significant threat to WordPress sites using this plugin. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The impact of CVE-2024-13704 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially stealing authentication cookies, session tokens, or other sensitive information. This can lead to account takeover, unauthorized actions such as changing user settings or posting malicious content, and further compromise of the website's integrity. Because the vulnerability is stored XSS, the malicious payload persists on the server, affecting all users who visit the infected pages. The attack requires no authentication or user interaction, increasing the risk of widespread exploitation. For organizations, this can result in reputational damage, loss of customer trust, data breaches, and compliance violations. E-commerce, financial, and high-traffic websites using the plugin are particularly vulnerable to targeted attacks and automated exploitation attempts.

1. Immediately disable the Super Testimonials plugin if it is not essential to your website's functionality. 2. Monitor the vendor's official channels for patches or updates addressing CVE-2024-13704 and apply them promptly once available. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the 'st_user_title' parameter, focusing on script tags and suspicious input patterns. 4. Conduct input validation and output encoding on testimonial content at the application level if possible, sanitizing user inputs before storage and escaping outputs before rendering. 5. Restrict permissions for users who can submit testimonials to trusted roles only, reducing the risk of injection by unauthenticated or low-privilege users. 6. Regularly audit website content for unexpected or suspicious scripts embedded in testimonials or other user-generated content. 7. Educate site administrators and developers about the risks of stored XSS and secure coding practices to prevent similar vulnerabilities. 8. Consider alternative plugins with better security track records if immediate patching is not feasible.