Japan Vulnerability NotesJVN:67963942JVN#67963942: WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
21.1%
The field labels in WordPress Plugin “Advanced Custom Fields” provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).
Impact
If an attacker with the ‘capability’ setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker’s.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerability.
- Advanced Custom Fields version 6.3.6
- Advanced Custom Fields Pro 6.3.6
Products Affected
- Advanced Custom Fields version 6.3.5 and earlier
- Advanced Custom Fields Pro version 6.3.5 and earlier
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
21.1%