The Custom Field Suite plugin for WordPress is vulnerable...
High severity
Unreviewed
Published
Jun 20, 2024
to the GitHub Advisory Database
•
Updated Jun 20, 2024
Description
Published by the National Vulnerability Database
Jun 20, 2024
Published to the GitHub Advisory Database
Jun 20, 2024
Last updated
Jun 20, 2024
The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code on the server.
References