Custom Content Shortcode < 4.0.1 – Unauthorised Arbitrary Post Metadata Access | CVE 2021-24824 | Plugin Vulnerabilities

Description

The [field] shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved

Proof of Concept

With the WooCommerce plugin installed, add the following shortcode in a post as a contributor: [field _billing_email id="{order_id}"]

This would print out the order billing email, which contributors should have no access to!

This is valid for any post where the user is not allowed to access, but can use the shortcode to extrafiltrate any data by key/id.

Affects Plugins

custom-content-shortcode

Fixed in 4.0.1

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

Verified

Yes

WPVDB ID

7b4d4675-6089-4435-9b56-31496adc4767

Timeline

Publicly Published

2022-02-02 (about 3 years ago)

Added

2022-02-02 (about 3 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2025-06-11

Title

WordPress Single Sign-On (SSO) - Incorrect Authorization to Sensitive Information Exposure

Published

2025-04-24

Title

Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

Published

2024-03-05

Title

Testimonial Slider < 2.3.7 - Author+ Settings Update

Published

2023-10-18

Title

BetterLinks < 1.6.1 - Improper Authorization to Data Import and Export

Published

2024-04-25

Title

WP Time Slots Booking Form < 1.2.07 - Unauthenticated Price Manipulation