CVE-2024-13582: 
WordPress vulnerability analysis and mitigation

The Simple Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2024-13582). The vulnerability affects all versions up to and including 1.0, and was discovered by Peter Thaleikis. The issue was publicly disclosed on February 17, 2025 (Wordfence Intel).

The vulnerability exists in the plugin's 'wdosimplepricingtablefree' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 6.4 (Medium) by Wordfence and 5.4 (Medium) by NIST. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD Database).

Website administrators using the Simple Pricing Tables For WPBakery Page Builder plugin should update to a version newer than 1.0 if available, or consider removing the plugin until a patch is released. Additionally, limiting contributor access and implementing strict content review processes can help mitigate the risk (NVD Database).