Skip to main content

Meta Field Block Display Custom Fields In The Block Editor Without Coding

1 CVEs product

Monthly

CVE-2026-6252 MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD
CVSS 3.1
6.4
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy