{"id":"CVE-2021-24871","details":"The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks","modified":"2026-03-14T10:47:42.054289Z","published":"2021-12-13T11:15:09.320Z","references":[{"type":"EVIDENCE","url":"https://wpscan.com/vulnerability/28007c80-dc14-4987-a52c-f2a05cfe5905"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/coffee2code/get-custom-field-values","events":[{"introduced":"0"},{"fixed":"0bff027b8fe6f7588275064701de6b7bc3d3c158"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.1"}]}}],"versions":["3.5","3.6","3.6.1","3.7","3.8","3.9","3.9.1","3.9.2","3.9.3","3.9.4","4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24871.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}