CVE-2023-6993 in Custom Post Types, Custom Fields & More Plugininfo

Summary

by MITRE • 04/09/2024

The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2023-6993 affects the Custom post types, Custom Fields & more plugin for WordPress, presenting a critical stored cross-site scripting risk that has been present in all versions up to and including 5.0.4. This flaw represents a significant security weakness in the WordPress ecosystem, particularly concerning user input handling and output sanitization mechanisms. The vulnerability specifically targets the plugin's shortcode functionality and custom post meta features, which are commonly used by WordPress administrators and content creators to extend the platform's capabilities and manage custom data structures. The issue stems from inadequate input validation and output escaping processes that fail to properly sanitize user-supplied data before it is stored and subsequently rendered in web pages.

The technical exploitation of this vulnerability occurs through authenticated attackers who possess contributor-level permissions or higher within the WordPress environment. This access level is particularly concerning because contributors often have the ability to create and modify content, making the attack vector more accessible than many other XSS vulnerabilities that require administrator privileges. When malicious users leverage this vulnerability, they can inject arbitrary web scripts into custom post meta values that are then stored within the WordPress database. These injected scripts become persistent elements of the website's content and execute whenever any user accesses pages containing the malicious data, creating a stored XSS attack scenario. The flaw exists because the plugin fails to implement proper sanitization routines for user-supplied input before it is processed and stored, and subsequently fails to escape output when rendering these values on web pages.

The operational impact of CVE-2023-6993 extends beyond simple script execution, as it provides attackers with the ability to potentially escalate their privileges and compromise the entire WordPress installation. The stored nature of the vulnerability means that malicious scripts can affect multiple users over time, making it particularly dangerous for websites with high user traffic or those managing sensitive information. Attackers could potentially use this vulnerability to steal session cookies, redirect users to malicious websites, or even execute more sophisticated attacks such as credential theft or data exfiltration. The vulnerability's presence in the plugin's shortcode and custom post meta handling mechanisms means that any website utilizing these features is at risk, regardless of whether the malicious script is directly embedded in a post or appears in metadata that gets displayed on various pages. This widespread potential impact aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as a fundamental weakness in input validation and output escaping processes.

Security professionals should recognize this vulnerability as a clear example of how insufficient input sanitization can lead to persistent security flaws in content management systems. The attack vector demonstrates the importance of proper output escaping and input validation in web applications, particularly those handling user-generated content. Organizations using this plugin should immediately implement mitigations including updating to the latest version where the vulnerability has been patched, implementing additional input validation measures, and monitoring user activities for signs of unauthorized script injection. The vulnerability also highlights the need for regular security audits of WordPress plugins, as many third-party extensions may not receive the same level of security scrutiny as core WordPress components. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control communications and privilege escalation through web application attacks, making it a significant concern for organizations implementing comprehensive security frameworks. The remediation process should include not only updating the vulnerable plugin but also conducting thorough security assessments of all other plugins and custom code that may be susceptible to similar input handling flaws.

Responsible

Wordfence

Reservation

12/20/2023

Disclosure

04/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00435

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!