CVE-2024-13313: 
WordPress vulnerability analysis and mitigation

The AWeber WordPress plugin through version 7.3.20 contains a stored Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2024-13313. The vulnerability was discovered by Krugov Artyom and publicly disclosed on December 27, 2024. This security issue affects the plugin's settings functionality in WordPress installations using the AWeber Web Form Widget plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin, specifically affecting fields such as 'Add Subscriber to:', 'Add Tags', and 'Subscription Label' in the Settings tab. The issue has been assigned a CVSS score of 4.8 (Medium severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability enables high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. This impact is particularly significant in WordPress multisite installations where certain HTML filtering restrictions are typically enforced (WPScan).

The vulnerability has been patched in version 7.3.21 of the AWeber WordPress plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).