WordPress Plugin Vulnerabilities

Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move

Description

Some of the functions did not have proper capability checks in place, allowing low privilege users such as subscribers to view arbitrary ACF data, movie fields, as well as view field groups.

Affects Plugins

advanced-custom-fields

Fixed in version 5.11

advanced-custom-fields-pro

Fixed in version 5.11

References

CVE

CVE-2021-20865

CVE

CVE-2021-20866

CVE

CVE-2021-20867

URL

https://wordpress.org/plugins/advanced-custom-fields/#developers

URL

https://jvn.jp/en/jp/JVN09136401/

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Keitaro Yamazaki

Submitter

Tom van Miltenburg

Submitter website

https://www.milcraft.nl

Verified

Yes

WPVDB ID

f322619a-e85d-4931-8785-eb9cf30cef7f

Timeline

Publicly Published

2021-08-25 (about 2 years ago)

Added

2021-08-26 (about 2 years ago)

Last Updated

2023-01-27 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin