WordPress Plugin Vulnerabilities
Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
Description
The plugin allows you to display custom field values for any post via shortcode without checking for the correct access
Proof of Concept
1. ADMIN: Install Advanced Custom Fields (or ACF Pro) 2. ADMIN: Create a new field group for posts and add a field to that 3. ADMIN: Fill in content for posts including the ACF custom field and do this to create posts with each status: published, private, password-protected, draft, and trashed 4. CONTRIBUTOR: Add shortcode to any post and specify/guess any post ID (of any status) and ACF field meta key and save 5. CONTRIBUTOR: Preview the post and see the custom field value outputs 1. ADMIN: Install Advanced Custom Fields (or ACF Pro) 2. ADMIN: Create a options page and add a new field group and field to that 3. ADMIN: Fill in content for the options page 4. CONTRIBUTOR: Add shortcode to any post and specify/guess any ACF field option name and save 5. CONTRIBUTOR: Preview the post and see the option value outputs Example shortcodes: `[acf post_id="ANY_POST_ID" field="ANY_ACF_META_KEY"]` `[acf post_id="options" field="ANY_ACF_OPTION_NAME"]`
Affects Plugins
Fixed in 6.3
Fixed in 6.3 References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Scott Kingsley Clark
Submitter
Scott Kingsley Clark
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-05-30 (about 1 months ago)
Added
2024-05-30 (about 1 months ago)
Last Updated
2024-05-30 (about 1 months ago)
WPScan 