Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access

Description

The plugin allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.

Proof of Concept

[custom_field field="{field_name}" post_id="{ID}"]

e.g [custom_field field="_ctct_verify_key" post_id="23"]

Affects Plugins

get-custom-field-values

Fixed in version 4.0✓

References

CVE

CVE-2021-24872

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-863

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website

https://carluc.ci

Submitter twitter

francecarlucci

Verified

Yes

WPVDB ID

ec23734a-5ea7-4e46-aba9-3dee4e6dffb6

Timeline

Publicly Published

2021-11-09 (about 25 days ago)

Added

2021-11-09 (about 25 days ago)

Last Updated

2021-11-09 (about 25 days ago)

Our Other Services

WPScan WordPress Security Plugin