CVE-2024-13733 is a stored cross-site scripting (XSS) vulnerability identified in the SKT Blocks – Gutenberg based Page Builder plugin for WordPress, specifically within the skt-blocks/post-carousel block. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied attributes. As a result, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 1.7 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability is significant because WordPress powers a large portion of the web, and plugins like SKT Blocks are widely used for page building, increasing the attack surface. The ability for relatively low-privileged users to inject persistent scripts elevates the risk of widespread impact within affected sites.

The impact of CVE-2024-13733 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on the SKT Blocks plugin for content management and page building face risks of internal compromise, especially if contributor accounts are not tightly controlled. The vulnerability's exploitation does not require user interaction beyond visiting an infected page, increasing the likelihood of impact. Given WordPress's global usage, the threat can affect a wide range of sectors including e-commerce, media, education, and government websites. The absence of known exploits in the wild currently limits immediate widespread damage, but the vulnerability remains a significant risk until remediated.

To mitigate CVE-2024-13733, organizations should first verify if they are using the SKT Blocks – Gutenberg based Page Builder plugin and identify the version in use. Since no official patch links are currently available, administrators should consider the following specific actions: 1) Restrict contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious script injection. 2) Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection patterns targeting the skt-blocks/post-carousel block. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 4) Regularly audit and sanitize existing content created via the vulnerable block to remove any injected scripts. 5) Monitor logs and user activities for unusual behavior indicative of exploitation attempts. 6) Stay alert for official plugin updates or patches from the vendor and apply them promptly once available. 7) Consider temporarily disabling or replacing the vulnerable plugin with alternative page builders that have no known XSS issues. These targeted mitigations go beyond generic advice by focusing on privilege management, WAF tuning, CSP enforcement, and content audits specific to this vulnerability.