CVE-2023-6701 Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-lev...

CVE-2023-6526

CVE-2023-6526 affects the WordPress plugin Meta Box – WordPress Custom Fields Framework . The vulnerability is a Stored Cross-Site Scripting (XSS) via custom post meta values rendered by the plugin’s shortcode, present in all versions up to and including 5.9.2. The root cause is insufficient inpu...

WordPress plugin Advanced Custom Fields security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

WordPress plugin Display custom fields in the frontend Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

WordPress plugin Display custom fields in the frontend Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

WordPress plugin Display custom fields in the frontend Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2024-15058 · WordPress · Advanced Custom Fields Pro

Name of the Vulnerable Software and Affected Versions: Advanced Custom Fields ACF plugin for WordPress versions up to, and including, 6.2.4 Description: The issue is related to Stored Cross-Site Scripting via a custom text field due to insufficient input sanitization and output escaping. This...

PT-2024-15156 · WordPress · Display Custom Fields In The Frontend – Post/User Profile Fields

Name of the Vulnerable Software and Affected Versions: Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress versions up to, and including, 1.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's shortcode and postmeta due to...

CVE-2024-24755

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom...

CVE-2024-24755 discourse-group-membership-ip-block is exposing potentially sensitive custom fields

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom...

CVE-2024-24755 discourse-group-membership-ip-block is exposing potentially sensitive custom fields

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom...

WordPress Display custom fields in the frontend – Post and User Profile Fields Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Software Display custom fields in the frontend – Post and User Profile Fields Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.3.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6982 Patch priority Low CVSS severity Low 6.5 Developer Claim ownersh...

WordPress Display custom fields in the frontend – Post and User Profile Fields Plugin <= 1.2.1 is vulnerable to Insecure Direct Object References (IDOR)

Software Display custom fields in the frontend – Post and User Profile Fields Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.3.0 OWASP Top 10 A1: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-6983 Patch priority Low CVSS severity Low 4.3 Developer...

WordPress Display custom fields in the frontend – Post and User Profile Fields Plugin <= 1.2.1 is vulnerable to Arbitrary Code Execution

Software Display custom fields in the frontend – Post and User Profile Fields Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.3.0 OWASP Top 10 A3: Injection Classification Arbitrary Code Execution CVE CVE-2023-6996 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID...

WordPress Advanced Custom Fields Plugin < 6.2.5 is vulnerable to Cross Site Scripting (XSS)

Software Advanced Custom Fields Type Plugin Vulnerable versions 6.2.5 Fixed in 6.2.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-6701 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID d7cb7ac0fa29 Credits Francesco Carlucci Required...

WordPress Advanced Custom Fields PRO Plugin < 6.2.5 is vulnerable to Cross Site Scripting (XSS)

Software Advanced Custom Fields PRO Type Plugin Vulnerable versions 6.2.5 Fixed in 6.2.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-6701 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 5c62a93a2661 Credits Francesco Carlucci Required...

CVE-2023-6781

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user supplied values. This makes it possible for authenticated...

PT-2024-15132 · WordPress · Oxygen Builder

Name of the Vulnerable Software and Affected Versions: Oxygen Builder plugin for WordPress versions up to, and including, 4.8 Description: The issue is related to Stored Cross-Site Scripting via a custom field due to insufficient input sanitization and output escaping. This allows authenticated...

WordPress Advanced Custom Fields Plugin 5.8.10 < 5.12.6 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:advancedcustomfields:advancedcustomfields"; if description...

WordPress Advanced Custom Fields Plugin 3.1.1 < 6.0.3 Information Disclosure Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:advancedcustomfields:advancedcustomfields"; if description...