CVE-2021-24826

Name of the Vulnerable Software and Affected Versions Custom Content Shortcode WordPress plugin versions prior to 4.0.2

Description The issue allows Contributor+ users in versions prior to 4.0.1 and Admin+ users in versions prior to 4.0.2 to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed. This is possible because custom fields are not properly escaped before being outputted. In single site blogs, such attacks are still possible by admin+ users by default, unless the unfiltered html capability is disallowed.

Recommendations For versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom fields or disabling the Custom Content Shortcode plugin until a patch is applied. Additionally, disallowing the unfiltered html capability can help minimize the risk of exploitation in single site blogs.