CVE-2024-45429

2024-09-0423:15:12

CWE-79

[email protected]

web.nvd.nist.gov

cross-site scripting

advanced custom fields

version 6.3.5

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.1%

JSON

Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the ‘capability’ setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker’s.

Affected configurations

Nvd

Node

wpengineadvanced_custom_fieldsRange≤6.3.5wordpress

wpengineadvanced_custom_fieldsRange≤6.3.5prowordpress

VendorProductVersionCPE
wpengineadvanced_custom_fields*cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:wordpress:*:*
wpengineadvanced_custom_fields*cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:pro:wordpress:*:*

Vendor	Product	Version	CPE
wpengine	advanced_custom_fields	*	cpe:2.3:a:wpengine:advanced_custom_fields::::::wordpress::*
wpengine	advanced_custom_fields	*	cpe:2.3:a:wpengine:advanced_custom_fields:::::pro:wordpress::