CVE-2025-68607

Vulnerability

Overview

The Custom Field Template plugin for WordPress plugin (versions 2.7.7 and earlier) suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables attackers with contributor-level access or higher to inject malicious scripts that are stored on the server and later executed in the browsers of other users, including administrators and site visitors.

Exploitation

Details

Exploitation requires an attacker must have a WordPress user account with at least the Contributor role. The attacker injects a crafted payload into a custom field template, which is then stored and rendered without proper sanitization [1]. No additional user interaction is required for the initial injection, but the stored payload executes when a victim (e.g., an admin or visitor) views the affected page. The CVSS v3 base score of 6.5 reflects the medium severity, with the attack vector being network-based and requiring low privileges [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to steal session cookies, redirect users to malicious sites, deface the site, or perform other actions on behalf of the authenticated user [1]. The vulnerability is particularly dangerous because it can be leveraged in mass-exploited across thousands of WordPress sites running the vulnerable plugin version.

Mitigation

The vendor has released version 2.7.8 which fixes the vulnerability by properly sanitizing input before storage [1]. Users are strongly advised to update immediately. For those unable to update, disabling the plugin or restricting contributor-level access may reduce risk. Patchstack users can enable auto-updates for vulnerable plugins [1].