Lucene search

Japan Vulnerability NotesJVN:98946408

HistoryAug 21, 2023 - 12:00 a.m.

JVN#98946408: WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting

2023-08-2100:00:00

Japan Vulnerability Notes

jvn.jp

wordpress

plugin

advanced custom fields

cross-site scripting

vulnerability

cwe-79

update

products affected.

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

48.6%

JSON

WordPress Plugin “Advanced Custom Fields” provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerability.

Advanced Custom Fields 6.1.8
Advanced Custom Fields Pro 6.1.8

Products Affected

Advanced Custom Fields versions 6.1.0 to 6.1.7
Advanced Custom Fields Pro versions 6.1.0 to 6.1.7