[Japanese] | |
JVNDB-2024-000093 | |
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting | |
Overview | |
The field labels in WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). | |
CVSS Severity (What is CVSS?) | |
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
| |
Affected Products | |
| |
WP Engine | |
| |
Impact | |
If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's. | |
Solution | |
[Update the plugin] | |
Vendor Information | |
WP Engine | |
CWE (What is CWE?) | |
| |
CVE (What is CVE?) | |
| |
References | |
| |
Revision History | |
|
Date Public | 2024/09/04 |
Date First Published | 2024/09/04 |
Date Last Updated | 2024/09/04 |