Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
CVE-2021-24865

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Advanced Custom Fields: Extended
Vendor: CVE Published:; 24 January 2022

Summary

The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue

Affected Version(s)

Advanced Custom Fields: Extended 0.8.8.7

References

https://wpscan.com/vulnerability/055a2dcf-77ec-4e54-be7d-...

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset/2648200

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

JrXnm