WordPress Plugin Vulnerabilities

Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery on AJAX Actions

Description

The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on multiple AJAX actions. This makes it possible for unauthenticated attackers to create, modify, and delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
just-custom-fields
No known fix

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/79899dc1-4953-4f95-95f5-853d24e7b9ab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
72dd0314-060b-47ed-99b8-d29ac5970f2f

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-12-19 (about 2 years ago)
Last Updated
2024-01-12 (about 2 years ago)

Other

Published
Title
Published
2024-10-13
Title
ShortPixel Image Optimizer < 5.6.4 - Missing Authorization
Published
2025-07-22
Title
AI Tools <= 4.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2022-08-31
Title
WP Shop Original <= 3.9.6 - Unauthenticated Settings Update
Published
2024-01-08
Title
MailerLite – WooCommerce integration < 2.0.9 - Missing Authorization via Multiple Functions
Published
2024-01-24
Title
Category Discount Woocommerce < 4.13 - Missing Authorization via wpcd_save_discount()