Authorization Vulnerability in Advanced Custom Fields by WordPress
CVE-2021-20866

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Advanced Custom Fields And Advanced Custom Fields Pro
Vendor
CVE Published:
13 December 2021

What is CVE-2021-20866?

The missing authorization vulnerability in Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 enables unauthorized users to access the user list, potentially exposing sensitive information. This may occur through unspecified vectors, putting vendors at risk of data breaches and unauthorized access to user data. It is essential for users to upgrade to the latest versions to mitigate this security concern.

Affected Version(s)

Advanced Custom Fields and Advanced Custom Fields Pro versions prior to 5.11

References

https://www.advancedcustomfields.com/
x_refsource_MISC
https://wordpress.org/plugins/advanced-custom-fields/
x_refsource_MISC
https://jvn.jp/en/jp/JVN09136401/index.html
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-20866 : Authorization Vulnerability in Advanced Custom Fields by WordPress