Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access
CVE-2021-24824

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Custom Content Shortcode
Vendor: CVE Published:; 7 March 2022

Summary

The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved

Affected Version(s)

Custom Content Shortcode 4.0.1

References

https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Francesco Carlucci