CVE-2024-9590 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Category and Taxonomy Meta Fields plugin for WordPress, affecting all versions up to and including 1.0.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied data in the 'wpaft_add_meta_textinput' function's handling of the image meta field value. This flaw allows authenticated users with editor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site context. The vulnerability is limited to WordPress multisite installations or those with the unfiltered_html capability disabled, as these environments restrict direct HTML input, making the plugin's sanitization critical. The CVSS 3.1 score of 5.5 reflects that the attack can be launched remotely over the network with low complexity but requires high privileges (editor or above) and no user interaction. No public exploit code has been reported yet, but the potential for exploitation exists given the widespread use of WordPress and this plugin in multisite setups. The vulnerability highlights the importance of proper input validation and output encoding in plugin development to prevent stored XSS attacks that can compromise site integrity and user data confidentiality.

The primary impact of CVE-2024-9590 is the potential for stored Cross-Site Scripting attacks within WordPress multisite environments using the vulnerable plugin. Successful exploitation allows attackers with editor-level privileges to inject malicious scripts that execute in the browsers of users who visit the compromised pages. This can lead to theft of authentication cookies, session hijacking, unauthorized actions performed on behalf of users, and potential privilege escalation if administrative users are targeted. While the vulnerability does not directly affect availability, it undermines the confidentiality and integrity of user data and site content. Given that multisite installations often serve multiple sites or users, the scope of impact can be significant, potentially affecting many users and sites within a network. Organizations relying on this plugin in multisite configurations face risks of reputational damage, data breaches, and unauthorized access if the vulnerability is exploited. The requirement for editor-level privileges limits the attack surface but does not eliminate risk, especially in environments with multiple trusted users or compromised accounts.

To mitigate CVE-2024-9590, organizations should first update the Category and Taxonomy Meta Fields plugin to a patched version once available. In the absence of an official patch, administrators can implement the following measures: 1) Restrict editor-level and higher permissions strictly to trusted users to reduce the risk of malicious script injection. 2) Employ Web Application Firewalls (WAFs) with rules designed to detect and block suspicious script injection patterns in meta fields. 3) Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4) Regularly audit multisite installations for unexpected or suspicious meta field content, especially in the image meta fields. 5) Consider disabling or limiting the use of the vulnerable plugin in multisite environments until a fix is applied. 6) Educate site administrators and editors about the risks of injecting untrusted content and encourage safe content management practices. These targeted steps go beyond generic advice by focusing on privilege management, monitoring, and layered defenses specific to the vulnerability's exploitation vector.