Lucene search

WPScanCVE-2021-24872

HistoryDec 13, 2021 - 11:15 a.m.

CVE-2021-24872

2021-12-1311:15:09

CWE-863

WPScan

web.nvd.nist.gov

cve-2021-24872

get custom field values

wordpress

plugin

security vulnerability

unauthorized access

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

32.8%

JSON

The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.

Affected configurations

Nvd

Vulners

Node

get_custom_field_values_projectget_custom_field_valuesRange<4.0wordpress

VendorProductVersionCPE
get_custom_field_values_projectget_custom_field_values*cpe:2.3:a:get_custom_field_values_project:get_custom_field_values:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
get_custom_field_values_project	get_custom_field_values	*	cpe:2.3:a:get_custom_field_values_project:get_custom_field_values::::::wordpress::*

CNA Affected

[
  {
    "product": "Get Custom Field Values",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "4.0",
        "status": "affected",
        "version": "4.0",
        "versionType": "custom"
      }
    ]
  }
]