CVE-2024-10143 is a medium-severity vulnerability classified as CWE-79 (Cross-Site Scripting, XSS) affecting the WordPress plugin MB Custom Post Types & Custom Taxonomies prior to version 2.7.7. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject and store malicious scripts. This stored XSS can be exploited even when the unfiltered_html capability is disabled, for example in multisite WordPress environments, which normally restricts HTML input to trusted users. The vulnerability requires high privileges (admin-level) and user interaction (the admin must perform actions that trigger the stored XSS), but it can lead to a scope change where the impact crosses user boundaries (S:C in CVSS), potentially affecting other users who view the malicious content. The CVSS 3.1 score is 4.8 (medium), reflecting network attack vector, low attack complexity, high privileges required, user interaction required, and limited confidentiality and integrity impact without availability impact. No known exploits are currently reported in the wild. The vulnerability is significant because stored XSS can lead to session hijacking, privilege escalation, or defacement if exploited effectively, especially in multisite setups where multiple sites share the same WordPress installation.

For European organizations using WordPress multisite environments with the MB Custom Post Types & Custom Taxonomies plugin, this vulnerability poses a moderate risk. Attackers with admin access could inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of other users. This could compromise the confidentiality and integrity of organizational data and user accounts. In sectors such as government, finance, healthcare, and media—where WordPress is commonly used for content management—such an attack could disrupt operations, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed. The requirement for admin privileges limits the risk to insider threats or compromised admin accounts, but the vulnerability still demands attention to prevent lateral movement or privilege escalation within the network.

1. Immediate upgrade to MB Custom Post Types & Custom Taxonomies plugin version 2.7.7 or later, where the vulnerability is patched. 2. Restrict admin access strictly using role-based access controls and monitor admin activities to detect suspicious behavior. 3. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 4. Regularly audit and sanitize all plugin settings and custom post type configurations, especially in multisite environments. 5. Employ Web Application Firewalls (WAF) with rules to detect and block XSS payloads targeting WordPress plugins. 6. Educate administrators on safe content input practices and the risks of stored XSS. 7. Monitor logs for unusual admin actions or unexpected changes in plugin settings that could indicate exploitation attempts.