CVE-2024-13101 - Stored XSS Vulnerability in WP MediaTagger WordPress Plugin Explained

WordPress plugins make our lives easier, but sometimes even popular plugins can have security holes. In this post, we’ll take a close look at CVE-2024-13101, a stored Cross-Site Scripting (XSS) vulnerability found in the WP MediaTagger plugin (versions through 4.1.1). We’ll break it down in simple language, show you how the exploit works, share code snippets, and point you to useful references.

What is WP MediaTagger?

WP MediaTagger lets users organize media files in WordPress by assigning tags. These tags can be embedded in posts and pages via shortcodes. It’s a helpful plugin but, until version 4.1.1, had a dangerous problem.

What is CVE-2024-13101?

This vulnerability lets users with the Contributor role or higher run malicious JavaScript code on any page or post that embeds the plugin’s shortcode. The bug is that some attributes of the shortcode are not properly filtered (“escaped”) before being displayed, allowing attackers to store harmful scripts on the site.

If a victim visits the page, their browser will run the injected code. This could lead to stolen cookies, malicious redirects, or worse.

Vulnerable Shortcode Example

Suppose the shortcode [wpmts tag=""] is used to display tagged media. The plugin fails to sanitize the tag attribute.

If a user with contributor rights creates a post like this

[wpmts tag='" onmouseover="alert('XSS')"]

When a visitor’s mouse hovers over the rendered shortcode output, the JavaScript alert('XSS') runs. Because the plugin puts the attribute value into the page without cleaning it, this becomes an XSS attack.

Code Walkthrough

Let’s imagine how the plugin’s vulnerable code may look.

Vulnerable code

// Inside the plugin's shortcode handler
function wpmts_shortcode($atts) {
    // $atts['tag'] is not sanitized!
    $tag = $atts['tag'];
    return '<div class="media-tag" data-tag="' . $tag . '">Tagged Media</div>';
}

The problem:
$tag is used directly in HTML output. If someone submits dangerous JavaScript as the tag attribute, it gets injected into the page.

To fix this, the plugin should escape the attribute

function wpmts_shortcode($atts) {
    $tag = esc_attr($atts['tag']);
    return '<div class="media-tag" data-tag="' . $tag . '">Tagged Media</div>';
}

Using esc_attr() ensures that any special characters (like quotes) are made harmless.

Who Can Exploit This?

Any logged-in user with the contributor role or higher—which includes contributors, authors, editors, and admins—can trigger this bug. A contributor can create a post with the malicious shortcode and wait for an admin (or any user) to view it.

Is There a Patch?

Yes! Version 4.1.2 and later of WP MediaTagger fixed this bug by properly escaping all user inputs.

Upgrade now:
Download WP MediaTagger

Original Advisory:

- WPScan Advisory: CVE-2024-13101

Proof of Concept Video:

- YouTube PoC Example (search)

Plugin Homepage:

- WP MediaTagger on WordPress.org

Summary

CVE-2024-13101 is yet another reminder to keep WordPress plugins updated and be careful with user inputs. This bug in WP MediaTagger could have let attackers steal account data, spread malware, or worse—all because attributes weren’t escaped. The fix is simple: keep plugins up to date and always escape user data!

Stay safe, and keep your WordPress security tight.

*Written exclusively for you by AI. Feel free to share and reference with credit!*

Timeline

Published on: 01/31/2025 06:15:28 UTC
Last modified on: 03/19/2025 17:15:39 UTC