CVE-2021-24826

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Please note that such attack is still...

CVE-2021-24824

The field shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the...

CVE-2021-24825

The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion...

CVE-2021-24824

The field shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the...

CVE-2021-24825

The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion...

Cross site scripting

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Please note that such attack is still...

CVE-2021-24826 Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Please note that such attack is still...

CVE-2021-24826

The CVE-2021-24826 issue affects the WordPress plugin “Custom Content Shortcode” prior to version 4.0.2. The vulnerability arises because the plugin does not escape custom fields before output, enabling authenticated users with Contributor+ (v &lt; 4.0.1) or Admin+ (v

CVE-2021-24825

CVE-2021-24825 affects the WordPress plugin Custom Content Shortcode (versions before 4.0.2). The issue arises because load shortcode data is not validated, allowing authenticated contributors (v&lt;4.0.1) or admins (v

CVE-2021-24824 Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access

The field shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the...

WordPress plugin Custom Content Shortcode 数据伪造问题漏洞

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress plugin Custom Content Shortcode versions prior to 4.0.2 are vulnerable to an access control error, which stems from the plugin's...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in the Custom...

WordPress Custom Content Shortcode plugin <= 3.8.9 - Unauthorized Arbitrary Post Metadata Access vulnerability

Unauthorized Arbitrary Post Metadata Access vulnerability discovered by Francesco Carlucci in WordPress Custom Content Shortcode plugin versions = 3.8.9. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.0...

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...

Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access

The field shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved PoC With...

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of alert/XSS/ Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...

Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI

The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...

WordPress Custom Content Shortcode plugin <= 4.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Custom Content Shortcode plugin versions = 4.0.1. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.2...

Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI

The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...

WordPress Custom Content Shortcode plugin <= 3.8.9 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Custom Content Shortcode plugin versions = 3.8.9. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.0...