PatchSiren

inc2734 CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM inc2734 CVE published 2026-07-17

CVE-2026-2594

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting. This issue, affecting versions up to and including 5.0.7, stems from insufficient input sanitization and output escaping of uploaded image attachment titles. Authenticated attackers with Author-level access and above can inject arbitrary web scripts into pages, which execute when a user accesses an injected page. A [truncated]