WordPress plugins are essential tools that enhance the functionality of websites, allowing users to extend features without modifying core code. However, security vulnerabilities in plugins can expose websites to serious threats, including Cross-Site Scripting (XSS) attacks. One such vulnerability has been identified in the “MB Custom Post Types & Custom Taxonomies” plugin (CVE-2024-10143), allowing stored XSS exploitation that could lead to administrative account creation and malicious script execution.
| CVE | CVE-2024-10143 |
| Plugin | MB Custom Post Types & Custom Taxonomies < 2.7.7 |
| Critical | High |
| All Time | 275 964 |
| Active installations | 10 000+ |
| Publicly Published | March 05, 2025 |
| Last Updated | March 05, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://wpscan.com/vulnerability/b5fd7a3e-33e4-4c73-a581-881f063855b0/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10143 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 9, 2024 | Plugin testing and vulnerability detection in the MB Custom Post have been completed |
| September 9, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 04, 2025 | Registered CVE-2024-10143 |
Discovery of the Vulnerability
During security testing, it was discovered that the MB Custom Post Types & Custom Taxonomies plugin fails to properly sanitize and escape user inputs in specific fields. The vulnerability is triggered when an attacker injects a malicious payload into the “Media frame filter” label parameter, leading to stored XSS. This flaw allows unauthorized script execution whenever an admin interacts with the affected section of the website, potentially escalating privileges and compromising site security.
Understanding of XSS attack’s
Stored XSS occurs when a web application stores user input in a database or file system and later serves it to users without proper sanitization. In the WordPress ecosystem, stored XSS vulnerabilities can be particularly dangerous, as they can be leveraged to inject persistent malicious scripts that execute whenever a victim accesses a compromised section of the site.
Real-world examples of stored XSS attacks in WordPress include:
- Malicious scripts executing when administrators manage posts, pages, or plugin settings.
- Injected payloads in user comments, affecting visitors and logged-in users.
- Exploits leading to credential theft, unauthorized actions, or malware distribution.
Exploiting the XSS Vulnerability
To exploit this vulnerability in MB Custom Post Types & Custom Taxonomies:
POC:
1) Navigate to the Post Types panel in the WordPress admin dashboard. 2) Click "New Post Type" and fill in the required fields (Plural name, Singular name, Slug). 3) Open the "Labels" options. 4) Locate the "Media frame filter" field under Label parameters. 5) Inject the following payload 6) Save the post type configuration. 7) Create a new post within the registered post type. 8) Assign a featured image and access the Media Library, where the payload will execute. Select a social network from the available options.____
The flaw exists in the way the plugin processes and saves social network names within the “Inline Content” settings. Attackers with administrative or editor-level access can inject malicious JavaScript code, which executes when a user interacts with the affected elements.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2024-10143, website administrators and developers should take the following steps:
- Update the Plugin: Ensure you are using the latest patched version of MB Custom Post Types & Custom Taxonomies.
- Implement Input Validation and Escaping: WordPress developers should sanitize and escape all user inputs, especially those that are stored and later rendered on the frontend or backend.
- Enable a Web Application Firewall (WAF): Security plugins such as Wordfence or Sucuri can help block XSS attempts in real-time.
- Restrict User Permissions: Limit who can create and modify custom post types to prevent unauthorized users from injecting malicious scripts.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10143, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.
