CVE-2024-13313: 
WordPress vulnerability analysis and mitigation

The AWeber WordPress plugin through version 7.3.20 has been identified with a stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2024-13313. The vulnerability was discovered by Krugov Artyom and publicly disclosed on December 27, 2024. This security issue affects the plugin's settings functionality and impacts WordPress installations using the AWeber Web Form Widget plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. Specifically, the issue affects fields such as 'Add Subscriber to:', 'Add Tags', and 'Subscription Label' in the Settings tab. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

This vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The impact is particularly notable in WordPress multisite installations where certain HTML filtering restrictions are typically enforced (NVD).

The vulnerability has been patched in version 7.3.21 of the AWeber WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).