[Japanese]

JVNDB-2024-000093

WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting

Overview

The field labels in WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).

Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


WP Engine
  • Advanced Custom Fields version 6.3.5 and earlier
  • Advanced Custom Fields Pro version 6.3.5 and earlier

Impact

If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
Solution

[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerability.

* Advanced Custom Fields version 6.3.6
* Advanced Custom Fields Pro 6.3.6
Vendor Information

WP Engine
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-45429
References

  1. JVN : JVN#67963942
Revision History

  • [2024/09/04]
      Web page was published