WordPress Plugin Vulnerabilities

Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access

Description

The plugin allows you to display custom field values for any post via shortcode without checking for the correct access

Proof of Concept

Affects Plugins

Plugin icon
advanced-custom-fields
Fixed in 6.3
Plugin icon
advanced-custom-fields-pro
Fixed in 6.3

References

CVE
CVE-2024-4565

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Scott Kingsley Clark
Submitter
Scott Kingsley Clark
Submitter website
https://skc.dev
Verified
Yes
WPVDB ID
430224c4-d6e3-4ca8-b1bc-b2229a9bcf12

Timeline

Publicly Published
2024-05-30 (about 1 year ago)
Added
2024-05-30 (about 1 year ago)
Last Updated
2025-08-25 (about 4 months ago)

Other

Published
Title
Published
2024-06-03
Title
KiviCare < 3.6.7 - Patient+ Insecure Direct Object Reference
Published
2025-04-01
Title
User Registration & Membership (Free < 4.1.3, Pro < 5.1.3) - Authentication Bypass
Published
2025-12-06
Title
Thim Elementor Kit < 1.3.4 - Authenticated (Contributor+) Insecure Direct Object Reference
Published
2024-02-26
Title
User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode
Published
2024-03-13
Title
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form < 2.10.2 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration