|
[Japanese]
|
JVNDB-2023-000084
|
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting
|
|
WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).
Ryotaro Imamura of SB Technology Corp. and Satoo Nakano reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
WP Engine
- Advanced Custom Fields versions 6.1.0 to 6.1.7
- Advanced Custom Fields Advanced Custom Fields Pro versions 6.1.0 to 6.1.7
|
|
|
An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege.
|
|
[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerability.
* Advanced Custom Fields 6.1.8
* Advanced Custom Fields Pro 6.1.8
|
|
WP Engine
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2023-40068
|
|
- JVN : JVN#98946408
- National Vulnerability Database (NVD) : CVE-2023-40068
|
|
- [2023/08/21]
Web page was published
- [2023/09/08]
Overview was modified
- [2024/03/25]
References : Content was added
|
