WordPress Plugin Vulnerabilities

Custom Field Suite < 2.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Description

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
custom-field-suite
Fixed in 2.6.5

References

CVE
CVE-2024-0689
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8e967ce-fd36-44de-acca-c1985642ee5b

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Sh
Verified
No
WPVDB ID
832d700d-26ce-40d0-8445-585caa0f36a9

Timeline

Publicly Published
2024-02-28 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2024-02-12
Title
SiteOrigin Widgets Bundle < 1.58.3 - Contributor+ Stored Cross-Site Scripting
Published
2026-01-06
Title
Responsive Pricing Table < 5.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'
Published
2024-03-27
Title
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-01-06
Title
Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render
Published
2024-04-17
Title
Jobs for WordPress < 2.7.6 - Reflected Cross-Site Scripting via job-search