CVE-2024-13711 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Pollin plugin for WordPress, developed by binnyva. This vulnerability exists in all versions up to and including 1.01.1 due to inadequate sanitization and escaping of user-supplied input in the 'question' parameter. Specifically, when a user accesses a URL containing a maliciously crafted 'question' parameter, the plugin fails to neutralize potentially harmful scripts, allowing them to be reflected back and executed in the victim's browser context. This type of vulnerability is categorized under CWE-79, which involves improper neutralization of input during web page generation. The attack vector is remote and requires no authentication, but it does require user interaction, such as clicking on a malicious link. The CVSS 3.1 base score is 6.1, indicating a medium severity level, with the vector string AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This means the attack can be launched over the network with low complexity, no privileges required, but user interaction is necessary. The scope is changed, indicating that the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity to a limited extent but does not impact availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. However, the vulnerability poses a risk of session hijacking, credential theft, or redirection to malicious sites if exploited successfully.

The primary impact of CVE-2024-13711 is the potential compromise of user confidentiality and integrity on websites using the vulnerable Pollin plugin. Attackers can execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session cookies, performing actions on behalf of the user, or redirecting users to malicious websites. This can lead to account compromise, data leakage, and erosion of user trust. Since the vulnerability is reflected XSS, it requires social engineering to lure users into clicking malicious links, which can be distributed via email, social media, or other channels. Organizations running WordPress sites with the Pollin plugin are at risk of reputational damage, regulatory penalties if user data is compromised, and operational disruptions if attackers leverage the vulnerability for further attacks. The medium CVSS score reflects moderate risk, but the widespread use of WordPress and the ease of exploitation without authentication increase the threat surface significantly.

To mitigate CVE-2024-13711, organizations should immediately audit their WordPress installations to identify the presence of the Pollin plugin and its version. Since no official patch links are currently available, administrators should consider the following practical steps: 1) Temporarily disable or remove the Pollin plugin until a vendor patch is released. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'question' parameter. 3) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4) Educate users about the risks of clicking untrusted links, especially those that appear to come from the affected website. 5) Monitor web server logs for unusual query strings or repeated attempts to exploit the 'question' parameter. 6) Once a patch is released by binnyva, apply it promptly and verify the fix. 7) Consider using security plugins that provide additional input sanitization and output encoding for WordPress sites. These measures collectively reduce the risk of exploitation while awaiting an official fix.