CVE-2024-13391 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-13391?

CVE-2024-13391 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages via a plugin shortcode. The scripts execute when users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using the vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages via a plugin shortcode. The scripts execute when users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using the vulnerable plugin versions are affected.

💻 Affected Systems

Products:

MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress

Versions: All versions up to and including 2.9.29

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and the 'videowhisper_content_upload_guest' shortcode to be used on pages; contributor-level or higher access is needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access, leading to full site compromise.

🟠

Likely Case

Attackers inject scripts to steal user session cookies or credentials, potentially gaining higher privileges or performing actions on behalf of users.

🟢

If Mitigated

With proper input sanitization and output escaping, the vulnerability is prevented, and impact is limited to minor data exposure if other security controls fail.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward due to insufficient input sanitization; weaponization is likely given the common nature of XSS vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.9.29 (check plugin updates for exact version)

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3224254%40paid-membership&new=3224254%40paid-membership&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find the MicroPayments plugin and click 'Update Now' if available. 4. Alternatively, download the latest version from the WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Remove or Restrict Shortcode Usage

all

Disable or remove the 'videowhisper_content_upload_guest' shortcode from pages to prevent exploitation.

Edit WordPress pages/posts to remove [videowhisper_content_upload_guest] shortcode instances

Restrict User Roles

all

Limit contributor-level and higher access to trusted users only to reduce attack surface.

In WordPress, go to Users > All Users and review/remove unnecessary contributor roles

🧯 If You Can't Patch

Disable the plugin entirely until a patch can be applied.
Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 2.9.29 or lower, it is vulnerable.

Check Version:

In WordPress, run: wp plugin list --field=version --name='paid-membership' (requires WP-CLI)

Verify Fix Applied:

After updating, confirm the plugin version is above 2.9.29 and test the shortcode functionality for any script injection.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to pages with the shortcode containing script tags or encoded payloads in user attributes

Network Indicators:

HTTP requests with suspicious parameters like <script> or javascript: in URLs or form data

SIEM Query:

Example: source="wordpress_logs" AND (message:"videowhisper_content_upload_guest" AND message:"<script>")

📊 Metadata

CVE ID: CVE-2024-13391

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: January 18, 2025

Last Updated: January 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13391, you might also want to check these: