Skip to main content

Smart Custom Fields EUVDEUVD-2026-45122

| CVE-2026-2594 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-17 Wordfence GHSA-xpfv-qr3c-jw2p
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

UI:R applied because stored XSS impact requires victim page navigation; PR:L reflects mandatory Author-level authentication; S:C for cross-browser scope change.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 02:01 vuln.today
CVE Published
Jul 17, 2026 - 01:30 cve.org
MEDIUM 6.4

DescriptionNVD

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in 5.0.7.

AnalysisAI

Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level WordPress credentials
Delivery
Upload image with crafted XSS payload in attachment title
Exploit
Plugin stores unsanitized title in WordPress database
Execution
Victim visits page rendering the attachment title
Persist
Malicious script executes in victim browser
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum Author-level privileges - this is the critical limiting condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects the network-accessible, low-complexity attack with low privilege requirements and changed scope, but uses UI:N - which is atypical for stored XSS where a victim must navigate to the injected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises an Author-level WordPress account on the target site, then uploads an image whose attachment title contains a JavaScript payload such as a cookie-stealing script. When a site administrator or visitor views any post or page where the Smart Custom Fields plugin renders that attachment title without escaping, the injected script executes in their browser. …
Remediation The primary remediation path is to update to the version of Smart Custom Fields that incorporates the complete fix referenced in the WordPress plugin repository changesets 3485210 (https://plugins.trac.wordpress.org/changeset/3485210/smart-custom-fields) and 3609564 (https://plugins.trac.wordpress.org/changeset/3609564/smart-custom-fields). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy