MEDIUM
inc2734
CVE published 2026-07-17
CVE-2026-2594
The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting. This issue, affecting versions up to and including 5.0.7, stems from insufficient input sanitization and output escaping of uploaded image attachment titles. Authenticated attackers with Author-level access and above can inject arbitrary web scripts into pages, which execute when a user accesses an injected page. A [truncated]