CVE-2024-0689 in Custom Field Suite Plugininfo

Summary

by MITRE • 02/29/2024

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-0689 affects the Custom Field Suite plugin for WordPress, representing a critical stored cross-site scripting weakness that undermines web application security. This flaw exists within all versions up to and including 2.6.4, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites. The vulnerability specifically targets the plugin's handling of meta import functionality, where insufficient input sanitization and output escaping mechanisms fail to properly validate or escape meta values before storage and subsequent execution.

The technical exploitation of this vulnerability requires an authenticated attacker possessing administrator-level permissions or higher within the WordPress environment. This privileged access requirement significantly reduces the attack surface but does not eliminate the severity of impact, as administrators typically have extensive control over website content and user data. The flaw manifests in multi-site WordPress installations where the unfiltered_html capability has been disabled, creating a specific operational context where the vulnerability becomes exploitable. This restriction highlights the plugin's reliance on WordPress's core security mechanisms and demonstrates how plugin-level vulnerabilities can interact with broader platform configurations to create dangerous attack scenarios.

The operational impact of CVE-2024-0689 extends beyond simple script execution, potentially enabling attackers to steal user sessions, manipulate content, or redirect users to malicious websites. When authenticated users access pages containing injected scripts, the malicious code executes within their browser context, providing attackers with access to sensitive data and potentially allowing for further privilege escalation. The stored nature of this XSS vulnerability means that once injected, malicious scripts persist in the database and execute automatically whenever affected pages are loaded, creating a long-term threat that can evade traditional security measures and detection mechanisms.

Security professionals should recognize this vulnerability as a variant of CWE-79 which represents Cross-Site Scripting flaws in web applications. The attack pattern aligns with ATT&CK technique T1566.001 which describes the use of malicious content delivered through web applications to compromise user systems. Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization and escaping deficiencies, combined with comprehensive security reviews of meta import functionality. Organizations should also implement additional monitoring for suspicious meta value modifications and consider restricting administrator privileges to reduce the potential impact of such vulnerabilities. The vulnerability underscores the critical importance of input validation and output escaping in web applications, particularly when handling user-supplied data within content management systems that serve as central repositories for website content and user interactions.

Responsible

Wordfence

Reservation

01/18/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00342

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!