CVE-2026-57687
Hiroaki · Custom Field Template
A SQL injection vulnerability in the Custom Field Template plugin allows authenticated contributors to execute arbitrary database commands.
Executive summary
A high-severity SQL injection vulnerability in the Hiroaki Custom Field Template plugin allows authenticated contributors to compromise the underlying database.
Vulnerability
The plugin fails to properly sanitize user-supplied input before passing it to database queries, enabling authenticated contributors to perform SQL injection attacks.
Business impact
This vulnerability poses a significant risk to data integrity and confidentiality. With a CVSS score of 8.5, an attacker could potentially extract sensitive information, modify records, or gain unauthorized administrative access, leading to severe reputational damage and system compromise.
Remediation
Immediate Action: Update the Custom Field Template plugin to the latest version provided by the vendor as soon as a security patch becomes available.
Proactive Monitoring: Review database audit logs for anomalous query patterns or unexpected administrative actions initiated by contributor-level accounts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious input requests targeting the application.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high CVSS score, organizations should treat this vulnerability with urgency. Administrators must restrict the 'Contributor' role capabilities or disable the plugin until a vendor-supplied patch is verified and applied to the production environment.