Published:2024/09/04  Last Updated:2024/09/04

JVN#67963942
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting

Overview

WordPress Plugin "Advanced Custom Fields" contains a cross-site scripting vulnerability.

Products Affected

  • Advanced Custom Fields version 6.3.5 and earlier
  • Advanced Custom Fields Pro version 6.3.5 and earlier

Description

The field labels in WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).

Impact

If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerability.

  • Advanced Custom Fields version 6.3.6
  • Advanced Custom Fields Pro 6.3.6

Vendor Status

Vendor Link
WP Engine ACF 6.3.6 Security Release
Advanced Custom Fields
Advanced Custom Fields for WordPress Developers.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score: 5.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-45429
JVN iPedia JVNDB-2024-000093