CVE-2024-9589 in Category and Taxonomy Meta Fields Plugin
Summary
by MITRE • 10/22/2024
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2025
The vulnerability identified as CVE-2024-9589 affects the Category and Taxonomy Meta Fields plugin for WordPress, specifically targeting versions up to and including 1.0.0. This represents a critical stored cross-site scripting flaw that exploits the 'new_meta_name' parameter within the 'wpaft_option_page' function. The vulnerability arises from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the plugin's administrative interface. The flaw is particularly concerning because it requires only authenticated access with administrator-level permissions or higher, making it accessible to users who already possess elevated privileges within the WordPress environment.
The technical execution of this vulnerability occurs through the manipulation of the 'new_meta_name' parameter during administrative operations within the plugin's option page functionality. When an attacker with sufficient privileges creates or modifies meta fields through the administrative interface, the plugin fails to adequately sanitize the input data before storing it within the WordPress database. This stored data then becomes executable when other users access pages containing the maliciously crafted meta field names, effectively creating a persistent XSS vector that can affect any user who views the compromised content. The vulnerability specifically impacts multi-site installations and environments where the unfiltered_html capability has been disabled, which are common security configurations in enterprise and managed hosting environments.
From an operational perspective, this vulnerability presents significant risks to WordPress installations that rely on the Category and Taxonomy Meta Fields plugin for managing content taxonomy and metadata. The stored nature of the XSS attack means that malicious scripts can persist indefinitely until manually removed by administrators, creating long-term exposure windows for potential exploitation. Attackers could leverage this vulnerability to execute malicious code in the context of affected users' browsers, potentially leading to session hijacking, data exfiltration, or further compromise of the WordPress installation. The impact is amplified in multi-site environments where a single compromised meta field could affect multiple sites within the network, and in installations with restricted HTML capabilities where the vulnerability becomes more pronounced due to the specific sanitization mechanisms being bypassed.
The vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a weakness that occurs when an application incorporates untrusted data into web pages without proper validation or escaping. This weakness specifically manifests as a stored XSS vulnerability when user input is stored and subsequently reflected in web pages without adequate security measures. From an ATT&CK framework perspective, this vulnerability maps to technique T1059.001 for command and scripting interpreter and T1566.001 for credential access through social engineering, as attackers could use the XSS to harvest user credentials or manipulate administrative interfaces. Organizations should implement immediate mitigations including plugin updates to versions that address the sanitization issues, implementation of web application firewalls to detect and block malicious input patterns, and regular monitoring of administrative interfaces for unauthorized modifications. Additionally, security teams should consider implementing network segmentation and privilege least-privilege principles to limit the potential impact of successful exploitation attempts, as well as regular security audits of installed plugins to identify and remediate similar vulnerabilities across the WordPress ecosystem.