CVE-2024-9589 is a stored cross-site scripting vulnerability in the Category and Taxonomy Meta Fields plugin for WordPress, specifically in versions up to and including 1.0.0. The issue exists due to improper neutralization of input in the 'new_meta_name' parameter handled by the 'wpaft_option_page' function, allowing authenticated administrators or higher to inject malicious scripts. This vulnerability only impacts multi-site WordPress setups or installations where the 'unfiltered_html' capability is disabled, as these conditions affect how input is sanitized and output is escaped. The CVSS 3.1 base score is 5.5, indicating medium severity with network attack vector, low attack complexity, high privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No patch or remediation is currently available from the vendor, and no exploits have been observed in the wild.

An attacker with administrator-level permissions on affected WordPress multi-site installations or those with 'unfiltered_html' disabled can inject persistent malicious scripts via the vulnerable parameter. These scripts execute in the context of users visiting the injected pages, potentially compromising confidentiality and integrity of user data or site content. The vulnerability does not affect single-site installations or those with 'unfiltered_html' enabled. There is no known active exploitation reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should restrict access to trusted users only and consider disabling or removing the vulnerable plugin in multi-site environments or where 'unfiltered_html' is disabled. Monitoring for plugin updates and applying them promptly once available is recommended.