WordPress Plugin Vulnerabilities

Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access

Description

The plugin does not have proper authorisation which could allow users with a role as low as contributor to view information on the database without the access permission

Affects Plugins

Plugin icon
advanced-custom-fields
Fixed in 5.12.1
Plugin icon
advanced-custom-fields-pro
Fixed in 5.12.1

References

CVE
CVE-2022-23183
URL
https://jvn.jp/en/jp/JVN42543427/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Keitaro Yamazaki of Ierae Security, Inc
Verified
No
WPVDB ID
413576a8-0f20-465e-80cf-7cb0cb22bded

Timeline

Publicly Published
2022-03-30 (about 3 years ago)
Added
2022-03-30 (about 3 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2025-02-27
Title
Cardealer < 1.6.5 - Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation
Published
2024-07-11
Title
Titan Anti-spam & Security < 7.3.8 - Missing Authorization
Published
2024-01-31
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via set_starred()
Published
2025-12-15
Title
Photo Block < 1.6.0 - Missing Authorization
Published
2024-08-14
Title
SmartSearchWP <= 2.4.4 - Unauthenticated Log Purge