Attention WordPress website owners using the Custom Field Template plugin: A high-severity Cross-Site Scripting (XSS) vulnerability has been identified, posing significant risks to WordPress security and potentially exposing your website to malware threats.

The security flaw was discovered and responsibly reported by Phd, underscoring the significance of collaborative efforts in ensuring a secure WordPress environment.

The vulnerability exists in the Custom Field Template Plugin, where attackers could exploit the flaw to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into the website. These injected scripts will be executed when guests visit the site, potentially leading to harmful consequences.


This XSS vulnerability in the Custom Field Template plugin is classified as high severity, with a CVSS 3.1 score of 7.1.

Affected Versions:

At present, no patched version is available, and there has been no reply from the vendor regarding a fix. The absence of a response from the vendor raises concerns about the plugin’s security status.


If exploited, malicious actors could inject harmful scripts into your website, endangering your visitors’ security and trust. The injected scripts could lead to redirects, unauthorized advertisements, and other malicious activities, potentially harming your website’s reputation.


Given the high severity of this vulnerability and the unavailability of a patched version or response from the vendor, immediate action is required to protect the WordPress website:

  1. Disable the Custom Field Template Plugin: As an immediate measure, disable the plugin to mitigate the risk of exploitation. It is essential to prevent any potential vulnerabilities from being exploited until a fix is available.
  2. Seek Alternatives: Look for alternative plugins that offer similar functionality to Custom Field Template while ensuring they have a strong security track record and regular updates.
  3. Monitor Official Updates: Continuously monitor the plugin’s official page and the WordPress repository for any updates or announcements from the vendor regarding a potential fix.
  4. Consider Security Assistance: Consult with WordPress security experts or developers to assess the potential impact on the website and implement additional security measures if necessary.