Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R applied because stored XSS impact requires victim page navigation; PR:L reflects mandatory Author-level authentication; S:C for cross-browser scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in 5.0.7.
AnalysisAI
Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum Author-level privileges - this is the critical limiting condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects the network-accessible, low-complexity attack with low privilege requirements and changed scope, but uses UI:N - which is atypical for stored XSS where a victim must navigate to the injected page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises an Author-level WordPress account on the target site, then uploads an image whose attachment title contains a JavaScript payload such as a cookie-stealing script. When a site administrator or visitor views any post or page where the Smart Custom Fields plugin renders that attachment title without escaping, the injected script executes in their browser. … |
| Remediation | The primary remediation path is to update to the version of Smart Custom Fields that incorporates the complete fix referenced in the WordPress plugin repository changesets 3485210 (https://plugins.trac.wordpress.org/changeset/3485210/smart-custom-fields) and 3609564 (https://plugins.trac.wordpress.org/changeset/3609564/smart-custom-fields). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45122
GHSA-xpfv-qr3c-jw2p