VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 9 known issues Latest disclosed Jun 19, 2024

Custom Field Suite Vulnerabilities

Review known vulnerability records for the WordPress plugin Custom Field Suite (`custom-field-suite`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-3558, CVE-2024-3562 and CVE-2024-3561, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
9
High or Critical
2
Patch Coverage
100%
Last Updated
Jul 29, 2024
Priority CVE Quick Links

Fast paths into Custom Field Suite CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
8
CVE-2024-3562 High No patch listed
CVE-2024-3562 Custom Field Suite Vulnerability

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field

CVE-2024-3561 High No patch listed
CVE-2024-3561 Custom Field Suite SQL Injection

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field

CVE-2024-3558 Medium No patch listed
CVE-2024-3558 Custom Field Suite Stored Cross-Site Scripting

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]

CVE-2024-3559 Medium No patch listed
CVE-2024-3559 Custom Field Suite Stored Cross-Site Scripting

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]

CVE-2019-11871 Medium 2.5.15
CVE-2019-11871 Custom Field Suite Cross-Site Scripting

Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting

CVE-2024-3068 Medium 2.6.6
CVE-2024-3068 Custom Field Suite Stored Cross-Site Scripting

Custom Field Suite <= 2.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2024-0689 Medium 2.6.5
CVE-2024-0689 Custom Field Suite Stored Cross-Site Scripting

Custom Field Suite <= 2.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

CVE-2023-32515 Medium 2.6.3
CVE-2023-32515 Custom Field Suite Stored Cross-Site Scripting

Custom Field Suite <= 2.6.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Custom Field Suite so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
9 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 2 high severity findings.
Recent CVEs
CVE-2024-3558, CVE-2024-3562 and CVE-2024-3561
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Custom Field Suite

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2024-3558
CVE-2024-3558: Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_title]

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Published
Jun 19, 2024
Patched Release
Not published
Affected Versions
Versions up to 2.6.7
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-3558 Report Open CVE Reference
Plugin High Patched: No CVE-2024-3562
CVE-2024-3562: Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field

The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() function. This makes it possible fo...

Published
Jun 19, 2024
Patched Release
Not published
Affected Versions
Versions up to 2.6.7
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-3562 Report Open CVE Reference
Plugin High Patched: No CVE-2024-3561
CVE-2024-3561: Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) SQL Injection via Term Custom Field

The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the the 'Term' custom field in all versions up to, and including, 2.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This ma...

Published
Jun 19, 2024
Patched Release
Not published
Affected Versions
Versions up to 2.6.7
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-3561 Report Open CVE Reference
Plugin Medium Patched: No CVE-2024-3559
CVE-2024-3559: Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_content]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published
Jun 11, 2024
Patched Release
Not published
Affected Versions
Versions up to 2.6.7
Next Step
Open the full report for remediation notes and references.
Open CVE-2024-3559 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3068
CVE-2024-3068: Custom Field Suite <= 2.6.5 - Authenticated (Admin+) Stored Cross-Site Scripting

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cfs[fields][*][name]' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attac...

Published
May 07, 2024
Patched Release
2.6.6
Affected Versions
Versions up to 2.6.5
Next Step
Update to 2.6.6 or newer if supported.
Open CVE-2024-3068 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-0689
CVE-2024-0689: Custom Field Suite <= 2.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers...

Published
Feb 28, 2024
Patched Release
2.6.5
Affected Versions
Versions up to 2.6.4
Next Step
Update to 2.6.5 or newer if supported.
Open CVE-2024-0689 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-32515
CVE-2023-32515: Custom Field Suite <= 2.6.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via field values in versions up to, and including, 2.6.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-l...

Published
May 10, 2023
Patched Release
2.6.3
Affected Versions
Versions up to 2.6.2.1
Next Step
Update to 2.6.3 or newer if supported.
Open CVE-2023-32515 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2019-11871
CVE-2019-11871: Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting

The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for editors or admins.

Published
May 08, 2019
Patched Release
2.5.15
Affected Versions
Versions up to 2.5.14
Next Step
Update to 2.5.15 or newer if supported.
Open CVE-2019-11871 Report Open CVE Reference
Plugin Medium Patched: Yes
Custom Field Suite <= 2.4 - Missing Authorization

The Custom Field Suite plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in the ajax_handler() function in versions up to, and including, 2.4.1 This makes it possible for unauthorized attackers to access and execute otherwise restricted A...

Published
Mar 12, 2015
Patched Release
2.4.1
Affected Versions
Versions up to 2.4
Next Step
Update to 2.4.1 or newer if supported.
Open Full Report