CVE-2024-9589

Name of the Vulnerable Software and Affected Versions Category and Taxonomy Meta Fields plugin for WordPress version 1.0.0

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The new meta name parameter in the wpaft option page function is specifically vulnerable. This issue only affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For version 1.0.0, consider disabling the wpaft option page function or restricting access to it until a patch is available. Additionally, restrict the use of the new meta name parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.