The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
Configuration 1 (hide)
|
History
11 Jul 2024, 02:52
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:custom_field_suite_project:custom_field_suite:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
First Time |
Custom Field Suite Project
Custom Field Suite Project custom Field Suite |
|
References | () https://core.trac.wordpress.org/ticket/56655 - Issue Tracking | |
References | () https://en-gb.wordpress.org/plugins/custom-field-suite/ - Product | |
References | () https://github.com/WordPress/WordPress/blob/22d95abc55824e83904dc0fef290464b6bec7708/wp-admin/includes/template.php#L1384 - Product | |
References | () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/api.php#L282 - Product | |
References | () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/field_group.php#L20 - Product | |
References | () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/form.php#L64 - Product | |
References | () https://mgibbs189.github.io/custom-field-suite/ - Exploit | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/8e4dc6fd-4bd5-4ed1-ade0-cf2f8831fac3?source=cve - Third Party Advisory | |
CWE | CWE-79 |
20 Jun 2024, 12:43
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
20 Jun 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-20 02:15
Updated : 2024-07-11 02:52
NVD link : CVE-2024-3558
Mitre link : CVE-2024-3558
CVE.ORG link : CVE-2024-3558
JSON object : View
Products Affected
custom_field_suite_project
- custom_field_suite
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')