Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access
CVE-2021-24872

6.5MEDIUM

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
13 December 2021

Summary

The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.

Affected Version(s)

Get Custom Field Values 4.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Francesco Carlucci
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.