Smart Custom Fields
Monthly
Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; however, the vulnerability is partially unresolved even in the stated boundary version 5.0.7, making the precise remediation target unclear without consulting the referenced patch changesets.
Stored cross-site scripting in the Smart Custom Fields WordPress plugin (versions up to and including 5.0.7) enables authenticated attackers holding at minimum Author-level access to persist malicious JavaScript payloads by supplying unsanitized content in uploaded image attachment titles. Any site visitor who subsequently loads an affected page triggers execution of the injected script within their browser, enabling session hijacking, credential harvesting, or unauthorized actions on behalf of that user. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; however, the vulnerability is partially unresolved even in the stated boundary version 5.0.7, making the precise remediation target unclear without consulting the referenced patch changesets.