Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
References
Link | Resource |
---|---|
https://jvn.jp/en/jp/JVN67963942/ | Third Party Advisory |
https://wordpress.org/plugins/advanced-custom-fields/ | Product |
https://www.advancedcustomfields.com/ | Product |
https://www.advancedcustomfields.com/blog/acf-6-3-6/ | Release Notes |
Configurations
Configuration 1 (hide)
|
History
13 Sep 2024, 20:48
Type | Values Removed | Values Added |
---|---|---|
References | () https://jvn.jp/en/jp/JVN67963942/ - Third Party Advisory | |
References | () https://wordpress.org/plugins/advanced-custom-fields/ - Product | |
References | () https://www.advancedcustomfields.com/ - Product | |
References | () https://www.advancedcustomfields.com/blog/acf-6-3-6/ - Release Notes | |
First Time |
Wpengine advanced Custom Fields
Wpengine |
|
CWE | CWE-79 | |
CPE | cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:wordpress:*:* cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:pro:wordpress:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
05 Sep 2024, 12:53
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Sep 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-04 23:15
Updated : 2024-09-13 20:48
NVD link : CVE-2024-45429
Mitre link : CVE-2024-45429
CVE.ORG link : CVE-2024-45429
JSON object : View
Products Affected
wpengine
- advanced_custom_fields
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')