Lucene search

K
cve[email protected]CVE-2023-6996
HistoryFeb 05, 2024 - 10:15 p.m.

CVE-2023-6996

2024-02-0522:15:58
CWE-94
web.nvd.nist.gov
11
wordpress
plugin
vulnerability
code injection
cve-2023-6996

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin’s vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code.

Affected configurations

Vulners
NVD
Node
josevegadisplay_custom_fields_in_the_frontend_-_post_and_user_profile_fieldsRange1.2.1
VendorProductVersionCPE
josevegadisplay_custom_fields_in_the_frontend_\-_post_and_user_profile_fields*cpe:2.3:a:josevega:display_custom_fields_in_the_frontend_\-_post_and_user_profile_fields:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "josevega",
    "product": "Display custom fields in the frontend – Post and User Profile Fields",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.2.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

Related for CVE-2023-6996