The Custom Field Template plugin for WordPress has a security issue that allows hackers to inject harmful code into web pages. This can happen when someone with certain permissions uses the plugin’s ‘cpt’ shortcode. This vulnerability affects all versions up to and including 2.6.1 because the plugin does not properly clean or protect content added by users. This means that attackers who are logged in with contributor-level or higher permissions can insert their own code into pages, which will run when someone visits that page.