CVE-2024-5601 in Create Plugin
Summary
by MITRE • 06/27/2024
The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Schema Meta shortcode in all versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2025
The CVE-2024-5601 vulnerability affects the Create by Mediavine WordPress plugin, specifically targeting versions through 1.9.7 where a stored cross-site scripting flaw exists within the Schema Meta shortcode functionality. This vulnerability represents a critical security weakness that enables authenticated attackers with contributor-level privileges or higher to inject malicious scripts into WordPress pages. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms that process user-supplied attributes within the plugin's shortcode implementation.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are processed by the plugin's Schema Meta functionality. When an attacker with contributor access or above submits a malicious payload through these attributes, the script gets stored within the WordPress database and subsequently executed whenever any user accesses the affected page. This stored nature of the XSS vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous as it can affect multiple users over time. The vulnerability specifically impacts the plugin's handling of user input within the schema meta shortcode, where attributes are not properly sanitized before being rendered in the output.
From an operational perspective, this vulnerability creates significant risk for WordPress sites using the affected plugin, as it allows attackers to escalate their privileges and potentially compromise user sessions. The attack vector requires only contributor-level access, which is often more easily obtained than higher administrative privileges, making this vulnerability particularly concerning for websites with multiple users or less strict access controls. The stored nature of the XSS means that even users who are not directly targeted by the initial attack can be compromised when they access pages containing the injected script, potentially leading to session hijacking, data theft, or further exploitation of the compromised systems.
Organizations should immediately update to the latest version of the Create by Mediavine plugin to remediate this vulnerability, as no patch was available for versions prior to the fix. The mitigation strategy should include implementing strict input validation and output escaping for all user-supplied data, following established security practices such as those outlined in the OWASP Top Ten and CWE-79. Additionally, administrators should consider implementing web application firewalls and monitoring for suspicious shortcode usage patterns, while also reviewing user access controls to limit contributor-level privileges where possible. The vulnerability aligns with ATT&CK technique T1548.002 for privilege escalation and T1566 for initial access through malicious content, making it a significant concern for organizations following MITRE ATT&CK frameworks for threat modeling.