CVE-2024-13559: 
WordPress vulnerability analysis and mitigation

The TemplatesNext ToolKit WordPress plugin (versions up to 3.2.9) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2024-13559. The vulnerability was discovered in the plugin's 'tx_woo_wishlist_table' shortcode functionality and was publicly disclosed on February 28, 2025. The issue affects WordPress installations using the vulnerable plugin versions (NVD CVE, Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the 'tx_woo_wishlist_table' shortcode. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever users access the compromised pages, potentially leading to data theft, session hijacking, or other malicious actions (NVD CVE).