CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Stored XSS.This issue affects Custom Field Template: from n/a through <= 2.7.7.
Explanation of Vulnerability in Simple Terms
Custom Field Template versions 2.7.7 and earlier contain a cross-site scripting vulnerability. An attacker with low-level site access can inject malicious scripts into custom fields. When another user views the affected content, the script executes in their browser, potentially allowing the attacker to steal session tokens, modify page content, or perform actions on behalf of the victim.
What an attacker can do
Inject and execute malicious JavaScript in other users' browsers when they view custom field content.
Potential impact on your site
Site users' accounts and data are at risk if attackers with low-level access inject malicious scripts into custom fields.
Conditions required to exploit
Attacker needs low-level site access (e.g., contributor or subscriber role) and the victim must view a page containing the injected custom field.
Key dates
External resources
Related vulnerabilities
