CVE-2024-13497

CVE-2024-13497 is a stored cross-site scripting (XSS) vulnerability in the Tripetto plugin for WordPress, a form builder for contact forms, surveys, and quizzes. It affects all versions up to and including 8.0.9 and stems from insufficient input sanitization and output escaping when handling attachment uploads. This flaw, associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading malicious attachments containing arbitrary web scripts, attackers can inject code that executes in the context of pages displaying the uploaded files whenever any user, including administrators, accesses them. This leads to potential theft of session cookies, account takeover, or further site compromise due to the changed scope (S:C).

Mitigation details are available in plugin advisories and code references. The Wordfence threat intelligence page provides vulnerability analysis, while WordPress plugin trac links show the vulnerable code in attachments.php (line 46) and a changeset applying fixes between revisions 3231968 and 3251202 in the trunk branch, indicating that updating to a version beyond 8.0.9 resolves the issue. Security practitioners should urge site owners to update the Tripetto plugin immediately.