The plugin adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
- Login as contributor+
- Create a custom field containing XSS payload (eg. <script>alert(1)</script>)
- Add this shortcode to the post/page: [metadata element="custom_fields"]
- The XSS will be triggered when the post/page is previewed/viewed by any user