Authorization Flaw in Advanced Custom Fields Plugin for WordPress
CVE-2021-20867

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Advanced Custom Fields And Advanced Custom Fields Pro
Vendor
CVE Published:
13 December 2021

What is CVE-2021-20867?

The Advanced Custom Fields plugin, specifically versions prior to 5.11, presents a missing authorization vulnerability that permits unauthorized users to move field groups. This issue occurs through unspecified vectors and poses a risk to the integrity of the configuration settings within the plugin. Users are advised to update to the latest version to mitigate potential exploitation of this vulnerability.

Affected Version(s)

Advanced Custom Fields and Advanced Custom Fields Pro versions prior to 5.11

References

https://www.advancedcustomfields.com/
x_refsource_MISC
https://wordpress.org/plugins/advanced-custom-fields/
x_refsource_MISC
https://jvn.jp/en/jp/JVN09136401/index.html
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-20867 : Authorization Flaw in Advanced Custom Fields Plugin for WordPress