CVE-2024-13743 is a stored cross-site scripting (XSS) vulnerability identified in the Wonder Video Embed plugin for WordPress, specifically affecting all versions up to and including 2.2. The vulnerability arises from improper neutralization of user-supplied input in the wonderplugin_video shortcode, where insufficient input sanitization and lack of output escaping allow authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the browsers of any user who visits the infected page, enabling attacks such as session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability requires the attacker to have at least contributor-level privileges, which means it cannot be exploited by unauthenticated users, but it does not require any user interaction once the malicious content is injected. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects components beyond the initially compromised plugin, impacting the confidentiality and integrity of user data. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of CVE-2024-13743 is the compromise of confidentiality and integrity of users interacting with affected WordPress sites using the Wonder Video Embed plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. This can damage the reputation of affected organizations, lead to data breaches, and cause loss of user trust. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls, but insider threats or compromised contributor accounts increase exposure. The vulnerability does not impact availability directly but can indirectly cause service disruption if exploited to deface sites or trigger security responses. Organizations relying on this plugin for video embedding on WordPress sites, especially those with multiple contributors, are at risk of targeted attacks or exploitation by malicious insiders.

To mitigate CVE-2024-13743, organizations should immediately audit their WordPress installations for the presence of the Wonder Video Embed plugin and verify the version in use. Since no official patch links are provided, administrators should consider the following specific actions: 1) Restrict contributor-level access strictly to trusted users and review user permissions to minimize the number of users who can inject content. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injections in shortcode parameters or page content. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Sanitize and validate all user inputs related to video embedding shortcodes manually or via custom filters if plugin updates are unavailable. 5) Monitor site content for unexpected script tags or changes in pages containing wonderplugin_video shortcodes. 6) Consider temporarily disabling or removing the Wonder Video Embed plugin until an official patch is released. 7) Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. These targeted mitigations go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to this plugin's vulnerability.