Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access
CVE-2021-24872
6.5MEDIUM
Summary
The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.
Affected Version(s)
Get Custom Field Values 4.0
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Francesco Carlucci