CVE-2024-29763 – This reflected XSS vulnerability in the WordPre... (How to Fix)

Q: What is the severity of CVE-2024-29763?

CVE-2024-29763 has a CVSS score of 7.1 (HIGH). This reflected XSS vulnerability in the WordPress Meta Data and Taxonomies Filter plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects all WordPress sites using MDTF plugin versions up to 1.3.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This reflected XSS vulnerability in the WordPress Meta Data and Taxonomies Filter plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects all WordPress sites using MDTF plugin versions up to 1.3.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

WordPress Meta Data and Taxonomies Filter (MDTF) plugin

Versions: n/a through 1.3.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions enabled.

📦 What is this software?

Wordpress Meta Data And Taxonomies Filter by Pluginus

View all CVEs affecting Wordpress Meta Data And Taxonomies Filter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive user data.

🟠

Likely Case

Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within user permissions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-meta-data-filter-and-taxonomy-filter/wordpress-mdtf-meta-data-and-taxonomies-filter-plugin-1-3-3-cross-site-scripting-xss-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Meta Data and Taxonomies Filter'. 4. Click 'Update Now' if update available. 5. If no update, manually download version 1.3.4+ from WordPress repository.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the MDTF plugin until patched.

wp plugin deactivate wp-meta-data-filter-and-taxonomy-filter

Implement WAF rules

all

Add XSS protection rules to web application firewall.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Enable WordPress security plugins with XSS protection features

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Meta Data and Taxonomies Filter' version ≤1.3.3.

Check Version:

wp plugin get wp-meta-data-filter-and-taxonomy-filter --field=version

Verify Fix Applied:

Verify plugin version is 1.3.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests with script tags or JavaScript in parameters
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script> tags or JavaScript in query parameters
Unusual redirects from your WordPress site

SIEM Query:

source="web_server_logs" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri="*mdtf*"

📊 Metadata

CVE ID: CVE-2024-29763

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: March 27, 2024

Last Updated: March 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29763, you might also want to check these: