CVE-2024-9590: 
WordPress vulnerability analysis and mitigation

The Category and Taxonomy Meta Fields plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9590) discovered in versions up to and including 1.0.0. The vulnerability was identified in the 'wpaftaddmeta_textinput' function, where insufficient input sanitization and output escaping on user-supplied attributes creates a security risk (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.5 (Medium) according to Wordfence, and 4.8 (Medium) according to NVD. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), high privileges (PR:H), and no user interaction (UI:N) according to Wordfence's assessment (Wordfence).

The vulnerability allows authenticated attackers with editor-level and above permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. This vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (NVD).

Users should update the Category and Taxonomy Meta Fields plugin to a version newer than 1.0.0 if available. If an update is not available, consider disabling the plugin until a patch is released (NVD).