XSS Injection Vulnerability in Custom Field Suite WordPress Plugin
Cross-site scripting (XSS) vulnerability (CVE-2019-11871) in the Matt Gibbs plugin Custom Field Suite, versions before 184.108.40.206, allows attackers to inject arbitrary web script or HTML via the field name parameter.
How to reproduce
The attacker goes to the website, where the Custom Field Suite plugin is installed.
The attacker requests administrative or editor’s rights.
The Сustom Field Suite plugin saves created field.
When the administrator comes to the website and open the Custom Field Suite section, malicious code gets executed.
To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.
Mark Parfeniuk, Penetration & Vulnerability Tester from REDdy Solutions