CVE-2024-13757 is a stored cross-site scripting vulnerability classified under CWE-79 affecting the Master Slider – Responsive Touch Slider plugin for WordPress, versions up to and including 3.10.6. The vulnerability stems from insufficient sanitization and escaping of user-supplied attributes within the plugin's ms_layer shortcode functionality. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that utilize the vulnerable shortcode. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is remotely exploitable over the network without user interaction beyond page viewing, and the attack scope is broad due to the widespread use of WordPress and this popular plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and partial confidentiality and integrity impact but no availability impact. No patches or official fixes have been linked yet, and no known exploits are reported in the wild, but the vulnerability poses a significant risk to sites allowing contributor-level access to untrusted users.

The vulnerability enables attackers with contributor-level access to inject persistent malicious scripts into website content, which execute in the browsers of any visitors viewing the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. For organizations, this undermines user trust, can lead to data breaches, and may result in reputational damage or regulatory penalties. Since WordPress powers a large portion of the web and the Master Slider plugin is widely used, the potential impact is global and affects a broad range of industries including e-commerce, media, education, and government websites. The requirement for contributor-level access limits exploitation to environments where such roles are assigned to potentially untrusted users, but insider threats or compromised accounts increase risk. The vulnerability does not affect availability but compromises confidentiality and integrity, with a scope change meaning the impact extends beyond the initial vulnerable component to the entire site and its users.

Organizations should immediately audit WordPress sites using the Master Slider – Responsive Touch Slider plugin to identify affected versions (up to 3.10.6). Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if contributor roles are widely assigned. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injection attempts targeting the ms_layer shortcode can provide interim protection. Site owners should also enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly review user roles and permissions to minimize the attack surface. Once a patch or update is available from the vendor, apply it promptly. Additionally, security teams should monitor logs for suspicious activity related to shortcode usage and script injection attempts. Educating content contributors about safe input practices can help reduce accidental injection risks.