CVE-2024-43278

Vulnerability

Overview The Meta Field Block plugin for WordPress, versions up to 1.2.13, contains a stored cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input before it is stored and later rendered in web pages, failing to escape output effectively [1].

Exploitation

Prerequisites Exploitation requires an authenticated user with at least Contributor-level privileges to insert a malicious script into a meta field block. The stored XSS is then triggered when an administrator or other privileged user visits the affected page, making it reliant on user interaction to execute the payload [1].

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript, which can perform actions such as redirecting visitors, displaying unauthorized advertisements, or exfiltrating data. This can affect site integrity and user trust, and the vulnerability may be targeted in mass campaigns due to WordPress's widespread use [1].

Mitigation

The vulnerability is fixed in version 1.2.14. Users are strongly advised to update immediately. For those unable to update, the reference recommends contacting a hosting provider or web developer. The vulnerability has a CVSS v3 base score of 6.5 (Medium) and requires user interaction, but Patchstack notes it is unlikely to be exploited in the wild [1].