Reporter Tom Adams
Software: Advanced Custom Fields: Table Field
Advisory report: https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)
Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can
Proof of concept
Add a new ACF field group
Add a new table-type field to that field group
Create a new post/page, wherever the field group is set to display
Enter a<script>alert(1)</script>a into a field and save the post
Tested with ACF PRO v5. Not tested with v4.
Update toA versionA 1.1.13 or later.
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2016-07-13: Reported to vendor byA email
2016-07-13: Requested CVE
2016-07-13: Vendoras autoresponder saidA they were unavailable until 1st August
2016-08-01: Vendor reported they were working on a fix
2016-08-01: Vendor reported issue fixed in 1.1.13
2016-08-08: Advisory published
Discovered by dxw:
Please visit security.dxw.com for more information.