CVE-2024-13506: 
WordPress vulnerability analysis and mitigation

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress (CVE-2024-13506) contains a Stored Cross-Site Scripting vulnerability discovered by Tim Coen. The vulnerability affects all versions up to and including 2.8.97, with the issue being publicly disclosed on February 10, 2025 (Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping in the display_name profile parameter. It has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Website administrators running affected versions of the GeoDirectory plugin should update to a version newer than 2.8.97 as soon as possible. The vulnerability has been addressed in the WordPress plugin repository (WordPress Plugin).