CVE-2024-10143 in MB Custom Post Types & Custom Taxonomies Plugin
Summary
by MITRE • 05/16/2025
The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/12/2025
The vulnerability identified as CVE-2024-10143 affects the MB Custom Post Types & Custom Taxonomies WordPress plugin, specifically versions prior to 2.7.7. This issue represents a critical security flaw that undermines the integrity of WordPress multisite environments where strict content validation is enforced. The plugin's failure to properly sanitise and escape user-provided settings creates an avenue for persistent malicious code execution within the administrative interface. Security administrators should recognize that this vulnerability is particularly dangerous in multisite configurations where the unfiltered_html capability is typically restricted to prevent cross-site scripting attacks. The flaw directly impacts the plugin's ability to handle user input safely, potentially allowing attackers with administrative privileges to inject malicious scripts that can persist across user sessions and system interactions.
The technical implementation of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's settings handling code. When administrators configure custom post types or taxonomies through the plugin interface, the system fails to properly process or sanitize the data entered into various fields. This insufficient sanitization allows malicious payloads to be stored within the plugin's configuration settings without proper escaping or encoding. The vulnerability operates as a stored cross-site scripting attack because the malicious code is permanently saved within the application's database or configuration files, making it persistent across different user sessions and browser interactions. The flaw becomes particularly concerning when the WordPress environment restricts the unfiltered_html capability, as this typically provides an additional layer of security that is subsequently bypassed by this vulnerability.
The operational impact of CVE-2024-10143 extends beyond simple script execution, as it enables attackers to potentially escalate privileges, access sensitive data, or manipulate the plugin's functionality. In multisite environments, where administrators may have varying levels of access control, this vulnerability creates opportunities for attackers to gain unauthorized access to other sites within the network. The stored nature of the XSS payload means that any user with administrative privileges who views the affected plugin settings page becomes vulnerable to script execution. This threat model aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as a fundamental weakness in web application security. The vulnerability also demonstrates characteristics consistent with ATT&CK technique T1059.001, where adversaries leverage command injection or script execution to maintain persistent access within compromised systems.
Mitigation strategies for this vulnerability require immediate plugin updates to version 2.7.7 or later, where proper sanitization and escaping mechanisms have been implemented. System administrators should conduct thorough security audits of their WordPress installations to identify any potentially compromised configurations or stored malicious payloads. The remediation process should include monitoring for unauthorized changes to plugin settings and implementing additional input validation measures. Organizations should also consider implementing web application firewalls to detect and block suspicious script injection attempts, while maintaining regular security scanning of their WordPress environments. Security teams should review their access control policies to ensure that only trusted personnel have administrative privileges within the WordPress installation, reducing the attack surface for potential exploitation of this vulnerability.