Meta Box Vulnerability– WordPress Custom Fields Framework – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6526 |WordPress Plugin Vulnerability Report

Plugin Name: Meta Box – WordPress Custom Fields Framework

Key Information:

  • Software Type: Plugin
  • Software Slug: meta-box
  • Software Status: Active
  • Software Author: rilwis
  • Software Downloads: 16,593,050
  • Active Installs: 700,000
  • Last Updated: February 8, 2024
  • Patched Versions: 5.9.3
  • Affected Versions: <= 5.9.2

Vulnerability Details:

  • Name: Meta Box – WordPress Custom Fields Framework <= 5.9.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-6526
  • CVSS Score: 6.4
  • Publicly Published: February 5, 2024
  • Researcher: Francesco Carlucci
  • Description: The Meta Box plugin is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 5.9.2. The vulnerability stems from inadequate sanitization of custom post meta values displayed through the plugin's shortcodes, enabling authenticated users with contributor-level permissions or higher to inject malicious scripts into web pages.


The Meta Box plugin, a powerful tool for WordPress developers to create custom fields and meta boxes, has been identified with a significant security flaw affecting versions up to 5.9.2. This vulnerability allows authenticated attackers, such as contributors, to execute Stored Cross-Site Scripting attacks by embedding harmful scripts in custom post meta values. Addressing this issue, version 5.9.3 has been released with the necessary patches to mitigate the risk.

Detailed Overview: Discovered by security researcher Francesco Carlucci, this vulnerability highlights the critical need for strict input sanitization and output escaping in web development. The vulnerability's exploitation could lead to unauthorized script execution, compromising website integrity and user security. Given the plugin's widespread use, the potential impact is significant, emphasizing the urgency of updating to the patched version.

Advice for Users:

  • Immediate Action: Users of the Meta Box plugin should immediately upgrade to version 5.9.3 or later to secure their websites against this XSS vulnerability.
  • Check for Signs of Vulnerability: Administrators should review their websites for any unusual content or behavior, especially in areas where custom post meta values are displayed, to identify potential exploitation.
  • Alternate Plugins: While the patched version is secure, users may explore alternative custom fields and meta box plugins, especially those with a strong emphasis on security and regular updates.
  • Stay Updated: Keeping all WordPress plugins up-to-date is essential in protecting against known vulnerabilities. Regular monitoring for updates and applying them promptly can significantly enhance website security.


The swift response from the Meta Box plugin developers in releasing a patch for CVE-2023-6526 underscores the ongoing challenge of web security and the critical role of timely software updates. By updating to version 5.9.3, users can safeguard their WordPress sites from this specific vulnerability. The incident serves as a reminder of the importance of continuous vigilance and proactive security measures in the digital landscape.


In today's digital age, where websites serve as the backbone of businesses large and small, the importance of cybersecurity cannot be overstated. The recent discovery of a vulnerability in the "Meta Box – WordPress Custom Fields Framework" plugin, designated as CVE-2023-6526, underscores the perpetual need for vigilance and proactive maintenance in the realm of website management. This plugin, integral to over 700,000 WordPress sites for its ability to facilitate extensive customization without deep coding, has unfortunately become a vector for potential security breaches.

Plugin Overview:

Meta Box is a powerful WordPress plugin developed by rilwis, boasting over 16 million downloads. It enables developers and site owners to effortlessly create custom fields and meta boxes, enhancing the functionality and user experience of their sites. Despite its widespread use and the developer's commitment to the plugin, vulnerabilities like CVE-2023-6526 highlight the challenges inherent in maintaining such complex software.

Vulnerability Details:

CVE-2023-6526 exposes a Stored Cross-Site Scripting (XSS) flaw in versions of Meta Box up to 5.9.2. This vulnerability arises from the plugin's failure to adequately sanitize custom post meta values, allowing attackers with at least contributor-level access to inject malicious scripts. These scripts can then be executed by unsuspecting users, leading to potential data breaches and compromised site integrity.

Risks and Potential Impacts:

The primary risk associated with CVE-2023-6526 lies in its ability to compromise website security and user trust. Authenticated users exploiting this vulnerability can perform unauthorized actions, access sensitive data, and potentially take control of the affected website, posing significant threats to both site owners and their audience.

Remediation Steps:

To mitigate the risks posed by CVE-2023-6526, site owners must promptly update the Meta Box plugin to the patched version, 5.9.3. Additionally, conducting a thorough review of user roles and permissions, alongside regular audits of website content and functionality, can help prevent future exploits.

Previous Vulnerabilities:

This is not the first time vulnerabilities have been identified in the Meta Box plugin, with two previous issues reported since February 1, 2019. Each vulnerability serves as a learning opportunity, reinforcing the necessity of ongoing security assessments and updates.


The swift action taken by the developers of Meta Box in addressing CVE-2023-6526 through the release of a patched version is commendable. However, this incident is a stark reminder of the dynamic nature of web security threats and the critical role of regular updates in safeguarding digital assets. For small business owners, the challenge of maintaining a secure WordPress site amidst numerous other responsibilities can be daunting. Yet, the consequences of neglecting this aspect of website management can be dire. Leveraging automated update features, subscribing to security advisories, and periodically consulting with cybersecurity professionals can alleviate some of the burdens, ensuring that your site remains secure and trustworthy in the ever-evolving digital landscape.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Meta Box Vulnerability– WordPress Custom Fields Framework – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-6526 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment