CVE-2021-24855 in Display Post Metadata Plugininfo

Summary

by MITRE • 12/13/2021

The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/16/2021

The vulnerability identified as CVE-2021-24855 affects the Display Post Metadata WordPress plugin, specifically versions prior to 1.5.0, presenting a critical cross-site scripting risk that can be exploited by users with minimal privileges. This security flaw resides in the plugin's handling of custom field data through shortcode functionality, where the content is not properly sanitized or escaped before being rendered on web pages. The vulnerability is particularly concerning because it allows attackers with Contributor-level access to execute malicious scripts against other users who view the affected content, bypassing typical security boundaries that would normally restrict such capabilities to higher-privileged roles.

The technical implementation of this vulnerability stems from the plugin's shortcode mechanism that outputs custom field values without adequate input validation or output escaping procedures. When administrators or content creators use the plugin to display custom metadata through shortcodes, the raw data from custom fields is directly injected into HTML contexts without proper sanitization. This creates an environment where malicious actors can inject JavaScript code or other malicious payloads into custom field values, which then execute in the browsers of users who view pages containing these shortcodes. The vulnerability specifically manifests when the plugin processes user-supplied data that contains script tags or other potentially dangerous content, as the sanitization routines are either absent or insufficient to prevent execution of harmful code.

The operational impact of CVE-2021-24855 extends beyond simple XSS exploitation, as it represents a significant privilege escalation vector within WordPress environments. Contributors typically have limited capabilities to modify core system functionality, but this vulnerability allows them to effectively bypass security controls by injecting malicious content that affects other users. The attack surface includes any WordPress site utilizing the Display Post Metadata plugin with custom fields that contain user-generated content, making it particularly dangerous in collaborative environments where multiple users contribute content. This vulnerability can be exploited to steal user sessions, redirect visitors to malicious sites, deface websites, or harvest sensitive information from authenticated users who view the compromised content.

Security practitioners should immediately update the Display Post Metadata plugin to version 1.5.0 or later, as this release includes proper sanitization and escaping mechanisms for custom field content. Organizations should implement additional monitoring of custom field values and shortcode usage within their WordPress installations, particularly focusing on user contributions that may contain executable content. The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws, and maps to ATT&CK technique T1566.001 which covers Social Engineering through malicious content injection. Administrators should also consider implementing Content Security Policy headers as an additional defense-in-depth measure, and conduct regular security audits of plugin configurations to ensure that user input is properly validated and sanitized across all custom field implementations.

Reservation

01/14/2021

Disclosure

12/13/2021

Moderation

accepted

CPE

ready

EPSS

0.00604

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!