CVE-2024-13657
📋 TL;DR
This stored XSS vulnerability in the Store Locator Widget WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts via the plugin's shortcode. The scripts execute whenever users view pages containing the compromised shortcode, potentially compromising visitor browsers. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Store Locator Widget WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, redirect users to malicious sites, deface websites, or install malware on visitor systems.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session data or redirect visitors to phishing sites.
If Mitigated
With proper user access controls and content filtering, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via WordPress editor.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 20200131
Vendor Advisory: https://plugins.trac.wordpress.org/browser/store-locator-widget/trunk/store-locator-widget.php#L118
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Store Locator Widget. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Remove Contributor Shortcode Permissions
allRestrict contributor-level users from using the storelocatorwidget shortcode via role management plugins.
Content Security Policy
allImplement CSP headers to restrict script execution from untrusted sources.
🧯 If You Can't Patch
- Deactivate and remove the Store Locator Widget plugin immediately
- Implement strict user access controls to limit contributor permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Store Locator Widget version. If version is 20200131 or earlier, you are vulnerable.Check Version:
wp plugin list --name=store-locator-widget --field=versionVerify Fix Applied:
After update, verify plugin version is later than 20200131 and test shortcode functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications in post/page revisions
- Multiple failed login attempts followed by contributor account activity
Network Indicators:
- Unexpected script tags in page responses containing storelocatorwidget attributes
SIEM Query:
source="wordpress" AND (event="post_modified" OR event="plugin_updated") AND plugin="store-locator-widget"