Skip to main content

Custom Field Template EUVDEUVD-2026-41296

| CVE-2026-57687 HIGH
SQL Injection (CWE-89)
2026-07-02 Patchstack GHSA-3jm7-hr4j-gx2m
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable SQLi requiring only Contributor auth (PR:L), no interaction; injection into the shared DB changes scope (S:C) with high data disclosure (C:H), no integrity, low availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:26 vuln.today

DescriptionCVE.org

Contributor SQL Injection in Custom Field Template <= 2.7.8 versions.

AnalysisAI

SQL injection in the Custom Field Template WordPress plugin (versions <= 2.7.8) allows a low-privileged authenticated user at the Contributor role to inject arbitrary SQL into backend database queries. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond their own authorization boundary, including other users' credentials and site secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on target site
Delivery
Access plugin custom-field input
Exploit
Submit crafted SQL injection payload
Execution
Injected query executes against WordPress DB
Impact
Exfiltrate credentials and sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account at the Contributor role (CVSS PR:L) on a WordPress site running Custom Field Template plugin version 2.7.8 or earlier; the attacker sends the malicious input remotely (AV:N) over the network with no user interaction (UI:N) and low complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5) describes network-reachable, low-complexity exploitation requiring only Contributor-level authentication (PR:L) and no user interaction, with High confidentiality impact, no integrity impact, and Low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a multi-author WordPress site running Custom Field Template <= 2.7.8, then submits a crafted value through a plugin-exposed field/parameter that is concatenated into a database query. The injected SQL runs against the WordPress database, letting the attacker exfiltrate sensitive data such as user password hashes, session/auth secrets, or private post content. …
Remediation No vendor-released patch version is identified in the available data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-8-sql-injection-vulnerability) for the fixed release and upgrade to any version above 2.7.8 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for Custom Field Template plugin versions ≤2.7.8; immediately disable or remove affected versions pending patch availability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy