CVE-2026-57687

Hiroaki · Custom Field Template

A SQL injection vulnerability in the Custom Field Template plugin allows authenticated contributors to execute arbitrary database commands.

Executive summary

A high-severity SQL injection vulnerability in the Hiroaki Custom Field Template plugin allows authenticated contributors to compromise the underlying database.

Vulnerability

The plugin fails to properly sanitize user-supplied input before passing it to database queries, enabling authenticated contributors to perform SQL injection attacks.

Business impact

This vulnerability poses a significant risk to data integrity and confidentiality. With a CVSS score of 8.5, an attacker could potentially extract sensitive information, modify records, or gain unauthorized administrative access, leading to severe reputational damage and system compromise.

Remediation

Immediate Action: Update the Custom Field Template plugin to the latest version provided by the vendor as soon as a security patch becomes available.

Proactive Monitoring: Review database audit logs for anomalous query patterns or unexpected administrative actions initiated by contributor-level accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious input requests targeting the application.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score, organizations should treat this vulnerability with urgency. Administrators must restrict the 'Contributor' role capabilities or disable the plugin until a vendor-supplied patch is verified and applied to the production environment.