Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 – Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure | CVE 2023-6983 | Plugin Vulnerabilities

Description

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive post meta.

Affects Plugins

shortcode-to-display-post-and-user-data

Fixed in 1.3.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/08d43c67-df40-4f1a-a351-803e59edee13

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

bacf2eb8-6210-4524-ab94-a0695990d02a

Timeline

Publicly Published

2024-01-16 (about 2 years ago)

Added

2024-01-18 (about 2 years ago)

Last Updated

2024-01-18 (about 2 years ago)

Other

Published

Title

Published

2023-08-30

Title

Metform Elementor Contact Form Builder < 3.3.2 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Published

2023-08-01

Title

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass

Published

2025-10-08

Title

Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme < 1.5.0 - Authenticated (Subscriber+) Privilege Escalation

Published

2026-04-20

Title

EventPrime – Events Calendar, Bookings and Tickets < 4.3.0.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2021-03-17

Title

BuddyPress < 7.2.1 - Force a Friendship