The plugin adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
- Login as contributor+ - Create a custom field containing XSS payload (eg. ) - Add this shortcode to the post/page: [metadata element=“custom_fields”] - The XSS will be triggered when the post/page is previewed/viewed by any user