CVE-2025-68607
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Stored XSS.This issue affects Custom Field Template: from n/a through <= 2.7.7.
Analysis
Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.
Technical Context
This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability, commonly known as stored or persistent cross-site scripting. The Custom Field Template plugin, developed by Hiroaki Miyashita, fails to properly sanitize and escape user-supplied input when generating web pages, allowing attackers to inject arbitrary HTML and JavaScript code that persists in the WordPress database. Authenticated users with permissions to create or edit custom fields can craft payloads that execute whenever other users view pages containing those fields, compromising the site's security model by leveraging the plugin's trust of stored data.
Affected Products
The Custom Field Template WordPress plugin by Hiroaki Miyashita is affected in all versions from an unspecified baseline through version 2.7.7. The plugin's WordPress.org repository listing indicates the vulnerability impacts the plugin as distributed through the official WordPress plugin directory. Exact CPE string not provided in source data, but the plugin identifier is custom-field-template in the WordPress ecosystem.
Remediation
Site administrators should immediately update the Custom Field Template plugin to a version newer than 2.7.7, as indicated by the Patchstack vulnerability database entry. For instructions and confirmation of the patched version, refer to the official WordPress.org plugin page or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-5-cross-site-scripting-xss-vulnerability. As an interim measure, restrict custom field editing permissions to only trusted administrative users by managing WordPress user roles and capabilities carefully. Disable the plugin if an update is unavailable and the custom field functionality is not critical to site operations.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today