Published:2022/03/30 Last Updated:2022/03/30
JVN#42543427
WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
Overview
WordPress Plugin "Advanced Custom Fields" contains a missing authorization vulnerability.
Products Affected
- Advanced Custom Fields versions prior to 5.12.1
- Advanced Custom Fields Pro versions prior to 5.12.1
Description
WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability (CWE-862).
Impact
Users of this product (Editor, Author, Contributor) may view the information on the database without the access permission.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerabilities.
- Advanced Custom Fields 5.12.1
- Advanced Custom Fields Pro 5.12.1
Vendor Status
| Vendor | Link |
| Delicious Brains | Advanced Custom Fields |
| Edit content with Advanced Custom Fields for WordPress Developers. |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score:
6.5
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:L/Au:S/C:P/I:N/A:N
Base Score:
4.0
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Keitaro Yamazaki of Ierae Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-23183 |
| JVN iPedia |
JVNDB-2022-000023 |