CVE-2024-0653
📋 TL;DR
The Custom Field Template WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute when users view affected pages. This only impacts WordPress multi-site installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- WordPress Custom Field Template plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to complete site takeover, data theft, or malware distribution to visitors.
Likely Case
Session hijacking, credential theft, or defacement of admin pages.
If Mitigated
Limited to authenticated administrators, with minimal impact if proper access controls and monitoring are in place.
🎯 Exploit Status
Requires administrator-level authentication. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Custom Field Template' and click 'Update Now' if available. 4. Alternatively, download version 2.6.2+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Enable unfiltered_html for administrators
allGrant administrators the unfiltered_html capability to bypass the vulnerability condition.
Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);
Disable plugin
linuxTemporarily disable the Custom Field Template plugin until patched.
wp plugin deactivate custom-field-template
🧯 If You Can't Patch
- Restrict administrator accounts to trusted personnel only and implement strict access controls.
- Enable WordPress security plugins that detect and block XSS attempts in admin areas.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.6.1 or lower, you are vulnerable if on multi-site or unfiltered_html is disabled.Check Version:
wp plugin get custom-field-template --field=versionVerify Fix Applied:
Confirm plugin version is 2.6.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php or plugin settings pages containing script tags.
- Administrator account activity from unexpected IP addresses or at unusual times.
Network Indicators:
- Unexpected outbound connections from WordPress admin area to external domains.
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "custom-field-template") AND (http_method="POST" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3069937%40custom-field-template&new=3069937%40custom-field-template&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a88330e-fbeb-4ac7-a143-a59766accbeb?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3069937%40custom-field-template&new=3069937%40custom-field-template&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a88330e-fbeb-4ac7-a143-a59766accbeb?source=cve
