The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to store malicious JavaScript in the Custom Field Template plugin. Once stored, the code is injected into the page and executed in the browsers of users who view the affected content. This can lead to credential theft, session hijacking, or further exploitation of the host site. The flaw is a classic stored XSS (CWE‑79) where user input is not properly sanitized before being persisted and later rendered.

The affected vendor is Hiroaki Miyashita with the Custom Field Template WordPress plugin. Versions from the earliest release up to and including 2.7.7 are impacted. All installations of the plugin within this version range are susceptible.

The CVSS score of 6.5 indicates a medium severity. The EPSS score of <1% suggests a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can submit a custom field value via the plugin’s administrative interface and that the site displays the field to users. Because the data is stored in the database, once injected the payload persists until the field is cleaned or the plugin is removed. Based on the description, it is inferred that the attack vector is through the web interface, typically an authenticated administrator or contributor with access to the plugin’s field editing features.