Skip to main content

Smart Custom Fields

1 CVEs product

Monthly

CVE-2026-2594 MEDIUM This Month

Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; however, the vulnerability is partially unresolved even in the stated boundary version 5.0.7, making the precise remediation target unclear without consulting the referenced patch changesets.

WordPress XSS Smart Custom Fields
NVD VulDB
CVSS 3.1
6.4
CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; however, the vulnerability is partially unresolved even in the stated boundary version 5.0.7, making the precise remediation target unclear without consulting the referenced patch changesets.

WordPress XSS Smart Custom Fields
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy