PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2594 inc2734 CVE debrief

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting. This issue, affecting versions up to and including 5.0.7, stems from insufficient input sanitization and output escaping of uploaded image attachment titles. Authenticated attackers with Author-level access and above can inject arbitrary web scripts into pages, which execute when a user accesses an injected page. A partial patch was applied in version 5.0.7.

Vendor
inc2734
Product
Smart Custom Fields
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the Smart Custom Fields plugin for WordPress, particularly those with versions up to 5.0.7, should be aware of this vulnerability. Site administrators and security teams should prioritize updating to a patched version and monitor for potential exploitation attempts.

Technical summary

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping of uploaded image attachment titles. This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. When a user accesses an injected page, the script executes. The vulnerability's CVSS score is 6.4, classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

Medium priority should be given to updating the Smart Custom Fields plugin to a version that fully addresses this vulnerability.

Recommended defensive actions

  • Update the Smart Custom Fields plugin to a version that fully patches this vulnerability.
  • Review and monitor user access and permissions for the plugin.
  • Implement additional security measures such as Web Application Firewall (WAF) rules to detect and prevent exploitation attempts.
  • Regularly update and patch all WordPress plugins and themes.
  • Monitor for suspicious activity and injected scripts on the website.

Evidence notes

The CVE record was published on 2026-07-17T02:18:05.607Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability was reported by [email protected].

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:05.607Z and has not been modified since then. The NVD entry is currently in the 'Received' status.