CVE-2024-1051 in List Category Posts Plugin
Summary
by MITRE • 03/30/2024
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-1051 affects the List category posts plugin for WordPress, specifically targeting versions up to and including 0.89.6. This represents a critical security flaw that undermines the integrity of WordPress installations by enabling malicious actors to execute persistent cross-site scripting attacks. The vulnerability resides within the plugin's 'catlist' shortcode implementation, which fails to properly sanitize or escape user-supplied input parameters, creating an avenue for attackers to inject malicious code that persists across user sessions.
The technical flaw manifests through insufficient input sanitization and output escaping mechanisms within the plugin's shortcode processing logic. When attackers supply malicious input through attributes such as 'title_tag', the plugin fails to adequately validate or escape these parameters before rendering them in the output. This vulnerability operates under the Common Weakness Enumeration framework as CWE-79, which categorizes it as a Cross-Site Scripting vulnerability, specifically a stored variant that allows malicious scripts to be permanently injected into the target system. The attack vector requires authenticated access with contributor-level permissions or higher, which represents a significant operational risk as it can be exploited by users who already have some level of administrative access.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to establish persistent footholds within WordPress environments. When legitimate users access pages containing the injected scripts, the malicious code executes in their browsers, potentially leading to session hijacking, data exfiltration, or further exploitation of the compromised systems. The stored nature of this XSS vulnerability means that once injected, the malicious scripts remain active until manually removed, creating a persistent threat that can affect multiple users over extended periods. This vulnerability directly aligns with ATT&CK technique T1566.001, which covers the exploitation of web applications through cross-site scripting attacks.
Mitigation strategies for CVE-2024-1051 require immediate action including updating to the latest plugin version where the vulnerability has been patched. Organizations should also implement additional security measures such as restricting user permissions to minimize the attack surface, implementing content security policies to prevent script execution, and monitoring for suspicious shortcode usage. The vulnerability demonstrates the importance of proper input validation and output escaping practices in web applications, particularly in plugins that process user-supplied data. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other plugins and themes, as this represents a common pattern in WordPress security issues where insufficient sanitization creates persistent attack vectors.