CVE-2024-13748 is a stored cross-site scripting (XSS) vulnerability identified in the Ultimate Classified Listings plugin for WordPress, affecting all versions up to and including 1.4. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the Title parameter. This flaw allows authenticated attackers with administrator-level access to inject arbitrary JavaScript code into pages. The malicious scripts persist in the database and execute whenever any user accesses the compromised page. The vulnerability is constrained to multi-site WordPress installations or those with the unfiltered_html capability disabled, which restricts the ability to post unfiltered HTML content. Exploitation requires high privileges (administrator) but does not require user interaction once the malicious content is injected. The vulnerability impacts confidentiality and integrity by enabling script execution that could steal session tokens, perform actions on behalf of users, or manipulate page content. However, it does not affect availability. The CVSS 3.1 base score is 4.4, reflecting medium severity due to the requirement for high privileges and limited scope of affected installations. No public exploits have been reported yet. The vulnerability was published on February 20, 2025, and assigned by Wordfence. No official patches are listed, so mitigation may require plugin updates or configuration changes.

The primary impact of CVE-2024-13748 is the potential for persistent cross-site scripting attacks within WordPress multi-site environments using the Ultimate Classified Listings plugin. An attacker with administrator privileges can inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to theft of sensitive information such as authentication cookies or tokens, unauthorized actions performed on behalf of users, defacement, or redirection to malicious sites. Although exploitation requires high privileges, the vulnerability increases risk if administrator accounts are compromised or insider threats exist. The impact is limited to confidentiality and integrity; availability is not affected. Organizations relying on multi-site WordPress setups with this plugin may face reputational damage, data leakage, or further compromise if attackers leverage this vulnerability. Since no known exploits are currently in the wild, the threat is moderate but could escalate if weaponized. The vulnerability's scope is limited to installations with multi-site enabled or unfiltered_html disabled, reducing the overall attack surface but still posing a significant risk to affected environments.

1. Upgrade the Ultimate Classified Listings plugin to a version that addresses this vulnerability once available. Monitor vendor announcements for patches. 2. If no patch is currently available, restrict administrator access to trusted personnel only and audit admin accounts regularly to prevent unauthorized access. 3. For multi-site WordPress installations, consider disabling or limiting the use of the Ultimate Classified Listings plugin until a fix is applied. 4. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Implement Web Application Firewall (WAF) rules to detect and block malicious input patterns targeting the Title parameter. 6. Regularly scan the website for injected scripts or anomalous content in classified listings pages. 7. Educate administrators about the risks of stored XSS and the importance of sanitizing inputs when managing content. 8. Review and tighten WordPress capability settings, especially related to unfiltered_html, to minimize exposure. 9. Backup website data frequently to enable recovery in case of compromise. 10. Monitor security advisories from WordPress and plugin developers for updates.