9 matches found
CVE-2022-4324
The vulnerability CVE-2022-4324 affects the WordPress plugin Custom Field Template prior to version 2.5.8 . The issue arises from unserialising the content of an imported file, which can enable PHP object injection when a high-privilege user imports a malicious Customizer Styling file and a suita...
CVE-2024-0653
CVE-2024-0653 concerns the WordPress plugin Custom Field Template . The vulnerability is a Stored Cross‑Site Scripting (XSS) in admin settings due to insufficient input sanitization and output escaping, affecting all versions up to and including 2.6.1. It enables an attacker with at least adminis...
CVE-2023-6745
CVE-2023-6745 concerns the WordPress plugin Custom Field Template . The vulnerability is a Stored Cross-Site Scripting (XSS) via the plugin’s cpt shortcode in all versions up to 2.6.1, caused by insufficient input sanitization and output escaping on user-supplied post meta. Exploitation requires ...
CVE-2023-38392
CVE-2023-38392 : Unauthenticated Reflected Cross-Site Scripting in WordPress plugin Custom Field Template by Hiroaki Miyashita, affected versions ≤ 2.5.9. Root cause: reflected XSS vulnerability. Impact: potential client-side script execution for unauthenticated attackers. Mitigation: update to v...
CVE-2023-6748
The CVE-2023-6748 entry concerns the WordPress plugin Custom Field Template. Affected versions are ≤ 2.6.1, with vulnerability enabling Sensitive Information Exposure via the cft shortcode, allowing authenticated attackers with Contributor+ privileges to extract sensitive data including arbitrary...
CVE-2024-0627
The CVE-2024-0627 entry concerns the WordPress plugin Custom Field Template (versions
CVE-2023-22695
CVE-2023-22695 is a CSRF vulnerability in the Hiroaki Miyashita Custom Field Template WordPress plugin, affecting versions
CVE-2024-44062
The CVE-2024-44062 entry refers to the WordPress Plugin Custom Field Template (versions
CVE-2020-36742
CVE-2020-36742 relates to the WordPress Custom Field Template plugin. A CSRF vulnerability exists in versions up to 2.5.1 due to missing or incorrect nonce validation on the edit_meta_value() function, enabling unauthenticated attackers to edit meta field values via forged requests if they can tr...