Published:2021/12/02  Last Updated:2022/02/17

JVN#09136401
Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields"

Overview

WordPress Plugin "Advanced Custom Fields" contains multiple missing authorization vulnerabilities.

Products Affected

  • Advanced Custom Fields versions prior to 5.11
  • Advanced Custom Fields Pro versions prior to 5.11

Description

WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains multiple missing authorization vulnerabilities listed below.

  • Missing authorization related to database browsing (CWE-862) - CVE-2021-20865
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • Missing authorization related to user list obtaining (CWE-862) - CVE-2021-20866
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • Missing authorization related to field group movement (CWE-862) - CVE-2021-20867
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Impact

A user with a lower level of authority than Editor role (such as Subscriber, Contributor, Author roles) may:

  • View the information on the database without the access permission - CVE-2021-20865
  • Obtain a list of information without the access permission - CVE-2021-20866
  • Move the field group without the usage permission - CVE-2021-20867

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerabilities.

  • Advanced Custom Fields 5.11
  • Advanced Custom Fields Pro 5.11

Vendor Status

Vendor Link
Delicious Brains Advanced Custom Fields
Edit content with Advanced Custom Fields for WordPress Developers.
Updates to ACF Field Functions in 5.11

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Keitaro Yamazaki of Ierae Security, Inc reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20865
CVE-2021-20866
CVE-2021-20867
JVN iPedia JVNDB-2021-000109

Update History

2022/01/05
Information under the section [Impact] was updated. The typos under the section [Impact], [Solution], [Credit] were fixed.
2022/02/17
Information was added to the section [Vendor Status].