Custom Field Suite Vulnerability- Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-0689 | WordPress Plugin Vulnerability Report
Plugin Name: Custom Field Suite
Key Information:
- Software Type: Plugin
- Software Slug: custom-field-suite
- Software Status: Active
- Software Author: mgibbs189
- Software Downloads: 590,448
- Active Installs: 50,000
- Last Updated: February 28, 2024
- Patched Versions: 2.6.5
- Affected Versions: <= 2.6.4
Vulnerability Details:
- Name: Custom Field Suite <= 2.6.4
- Title: Authenticated (Admin+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0689
- CVSS Score: 4.4
- Publicly Published: February 28, 2024
- Researcher: Sh
- Description: The Custom Field Suite plugin, a popular tool among WordPress users for custom field management, has been identified with a critical vulnerability in versions up to and including 2.6.4. This vulnerability stems from inadequate input sanitization and output escaping on meta values, allowing authenticated attackers with administrator-level permissions to inject malicious scripts. These scripts can then be executed whenever a user accesses a compromised page, posing a significant security risk, particularly in multi-site installations or environments where unfiltered_html is disabled.
Summary:
The Custom Field Suite plugin for WordPress contains a vulnerability in versions up to and including 2.6.4, which enables authenticated admin-level users to perform Stored Cross-Site Scripting attacks via meta imports. This security flaw has been effectively addressed in the recently released version 2.6.5.
Detailed Overview:
This security issue was discovered by a researcher known as Sh, who highlighted the plugin's failure to properly sanitize input and escape output for meta values. This oversight makes it feasible for attackers with sufficient permissions to introduce harmful scripts into web pages, compromising the site's integrity and the safety of its users. The specific conditions under which this vulnerability can be exploited—namely, within multi-site setups or where unfiltered_html is restricted—underscore the nuanced nature of WordPress security and the need for comprehensive protective measures.
Advice for Users:
- Immediate Action: Users of the Custom Field Suite plugin are strongly encouraged to update to version 2.6.5 immediately to mitigate the risk associated with this vulnerability.
- Check for Signs of Vulnerability: Administrators should review their sites for any unusual content or behavior that may indicate a successful exploitation of this vulnerability, especially in multi-site environments.
- Alternate Plugins: Considering the potential risks, users may explore alternative plugins that offer similar functionality but with a stronger emphasis on security, particularly those with a consistent track record of timely updates and patches.
- Stay Updated: The cornerstone of maintaining a secure WordPress site is the diligent updating of all plugins and themes. Users should regularly check for updates and apply them without delay to protect against known vulnerabilities.
Conclusion:
The swift identification and patching of the Stored Cross-Site Scripting vulnerability in the Custom Field Suite plugin underscore the critical importance of maintaining up-to-date software on WordPress sites. By promptly applying security updates and adopting best practices for site management, users can significantly enhance the security of their online presence. This incident serves as a reminder of the ongoing vigilance required to safeguard digital assets in an increasingly complex cyber landscape.
References:
- Wordfence Vulnerability Report on Custom Field Suite
- Wordfence Vulnerabilities for Custom Field Suite