CVE-2024-34762

2024-06-1016:15:13

CWE-22

[email protected]

web.nvd.nist.gov

vulnerability

wpengine inc

advanced custom fields pro

php local file inclusion

path traversal

security audit

cve-2024-34762

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

Vulnerability discovered by executing a planned security audit.

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.

Affected configurations

Vulners

Node

wpengine_incadvanced_custom_fields_proRange<6.2.10

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Advanced Custom Fields PRO",
    "vendor": "WPENGINE INC",
    "versions": [
      {
        "changes": [
          {
            "at": "6.2.10",
            "status": "unaffected"
          }
        ],
        "lessThan": "6.2.10",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-local-file-inclusion-vulnerability?_s_id=cve