CVE-2024-9590
📋 TL;DR
This stored XSS vulnerability in WordPress Category and Taxonomy Meta Fields plugin allows authenticated attackers with editor-level permissions to inject malicious scripts into pages. When users visit compromised pages, the scripts execute in their browsers. Only affects multi-site WordPress installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- WordPress Category and Taxonomy Meta Fields plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers with editor access inject malicious scripts to steal user session cookies or redirect visitors to phishing pages.
If Mitigated
With proper user role management and unfiltered_html enabled, impact is limited to administrators who could already execute code.
🎯 Exploit Status
Requires authenticated editor-level access. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/1454207/wp-custom-taxonomy-meta/trunk/wp-texonomy-meta.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Category and Taxonomy Meta Fields'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.0.1 from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate wp-custom-taxonomy-meta
Restrict user roles
allRemove editor permissions from untrusted users
wp user remove-role <username> editor
🧯 If You Can't Patch
- Enable unfiltered_html capability for all users to bypass vulnerability condition
- Implement strict user role management and audit editor-level users
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.0.0 or lower, you are vulnerable if using multi-site OR unfiltered_html is disabled.Check Version:
wp plugin get wp-custom-taxonomy-meta --field=versionVerify Fix Applied:
Verify plugin version is 1.0.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with meta field parameters
- Multiple image meta field updates from editor users
Network Indicators:
- External script loads from unexpected domains on WordPress pages
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "wpaft_add_meta_textinput")