CVE-2024-13721 is a stored Cross-Site Scripting vulnerability identified in the Plethora Plugins Tabs + Accordions plugin for WordPress, affecting all versions up to and including 1.1.8. The vulnerability stems from improper input validation and output escaping of the 'anchor' parameter, which is used to create tabs and accordions on WordPress pages. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'anchor' parameter. Because the malicious script is stored persistently in the website's content, it executes automatically whenever any user visits the affected page. This can lead to unauthorized actions such as session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability is classified under CWE-85 (Doubled Character XSS Manipulations), indicating a nuanced input handling issue that bypasses typical sanitization. The CVSS v3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or known exploits are currently reported, but the risk remains significant due to the potential for persistent script injection and the common use of WordPress and this plugin in content management. The vulnerability highlights the importance of rigorous input validation and output encoding in web applications, especially those allowing user-generated content.

The primary impact of CVE-2024-13721 is the compromise of confidentiality and integrity of affected WordPress sites using the Plethora Plugins Tabs + Accordions plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the context of any user visiting the infected page, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware payloads. This can lead to account takeover, defacement, data leakage, or pivoting to other parts of the network. Although availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations with multiple contributors or editors are at higher risk, as the attack requires authenticated access. The vulnerability could be leveraged in targeted attacks against websites with sensitive user bases or administrative functions. Given WordPress's widespread use globally, the threat can affect a broad range of sectors including e-commerce, media, education, and government websites.

1. Immediate mitigation involves updating the Plethora Plugins Tabs + Accordions plugin to a patched version once released by the vendor. Until a patch is available, restrict Contributor-level and higher privileges to trusted users only. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'anchor' parameter, focusing on script tags and unusual character sequences. 3. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and restrict sources of executable scripts to trusted domains. 4. Conduct regular audits of user-generated content, especially tabs and accordions, to identify and remove injected scripts. 5. Harden WordPress installations by disabling unnecessary plugins and enforcing the principle of least privilege for user roles. 6. Educate content contributors about the risks of injecting untrusted content and monitor logs for unusual activity. 7. Use security plugins that provide XSS protection and input sanitization enhancements. These steps collectively reduce the attack surface and limit the impact of exploitation.