CVE-2023-6809 in Custom Fields Shortcode Plugin
Summary
by MITRE • 03/13/2024
The Custom fields shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied custom post meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/18/2025
The Custom fields shortcode plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-6809 affecting all versions up to and including 0.1. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's cf shortcode implementation. The flaw specifically targets user-supplied custom post meta values that are processed through the plugin's shortcode functionality, creating a persistent vector for malicious code injection that can affect all users who access affected pages.
The technical exploitation of this vulnerability occurs through the plugin's insufficient validation of custom post meta values that are rendered within the cf shortcode. When authenticated attackers with contributor-level permissions or higher submit malicious content through custom fields, the plugin fails to properly sanitize this input before storing it in the database. The vulnerability manifests when the shortcode processes these stored values and outputs them without adequate escaping mechanisms, allowing attackers to inject arbitrary JavaScript code that executes in the context of other users' browsers when they view pages containing the malicious content.
This vulnerability has significant operational impact within WordPress environments as it enables attackers to leverage the plugin's functionality to execute malicious scripts in the browsers of unsuspecting users. The stored nature of the XSS vulnerability means that once malicious code is injected, it persists in the database and will execute whenever any user accesses pages containing the compromised content. This creates a persistent threat vector that can be exploited to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. The requirement for contributor-level permissions or higher limits the immediate threat surface but still represents a serious security risk in multi-user environments where such roles may be compromised or improperly managed.
The vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a common weakness in web applications where untrusted data is not properly sanitized before being included in web pages. From an ATT&CK perspective, this vulnerability maps to T1566.001 which covers the use of malicious web content in phishing attacks and T1059.007 which encompasses the execution of scripts through web shells or compromised web applications. Organizations should immediately update to the latest version of the plugin once available, implement proper input validation and output escaping mechanisms, and consider restricting contributor-level permissions to reduce the attack surface. Additionally, security monitoring should be enhanced to detect suspicious content submissions and regular security audits should be conducted to identify similar vulnerabilities in other plugins or custom code implementations.