Schema Pro < 2.7.16 – Contributor+ Custom Field Access | CVE 2024-1564 | Plugin Vulnerabilities

Description

The plugin does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode

Proof of Concept

As a contributor, add/edit a post and embed `[aiosrs_pro_custom_field post_id="ANY_POST_ID" field_key="ANY_META_KEY"]` and specify/guess any post ID and meta key you may want to access

Save the post and preview it to disclose the post meta key value

Affects Plugins

Fixed in 2.7.16

References

CVE

YouTube Video

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Scott Kingsley Clark

Submitter

Scott Kingsley Clark

Submitter website

https://skc.dev

Verified

Yes

WPVDB ID

ecb1e36f-9c6e-4754-8878-03c97194644d

Timeline

Publicly Published

2024-03-04 (about 1 year ago)

Added

2024-03-04 (about 1 year ago)

Last Updated

2024-03-04 (about 1 year ago)

Other

Published

Title

Published

2022-09-19

Title

Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Account Change

Published

2021-01-28

Title

uListing < 1.7 - Missing Access Controls

Published

2022-02-22

Title

Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

Published

2021-04-22

Title

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User