WordPress Plugin Vulnerabilities

Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting (XSS)

Description

The Custom Field Suite WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.

Affects Plugins

Plugin icon
custom-field-suite
Fixed in 2.5.15

References

CVE
CVE-2019-11871
URL
https://web.archive.org/web/20191113060020/https://blog.reddy.io/2019/05/30/xss-injection-vulnerability-in-custom-field-suite-wordpress-plugin/
URL
https://plugins.trac.wordpress.org/changeset/2083730/custom-field-suite

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
reddy.io
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
1c36356a-2dea-4909-bd6d-3063d50e5390

Timeline

Publicly Published
2019-05-08 (about 7 years ago)
Added
2019-05-10 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-03-03
Title
Zigaform – Form Builder Lite < 7.4.3 - Unauthenticated Stored Cross-Site Scripting
Published
2024-07-10
Title
Tutor LMS < 2.7.3 - Authenticated (Tutor Instructor+) Stored Cross-Site Scripting
Published
2024-08-12
Title
WHMpress <= 6.2-revision-5 - Reflected Cross-Site Scripting
Published
2025-09-22
Title
GetResponse Forms < 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2011-09-27
Title
Redline < 1.66 - XSS