WordPress Shortcode to display post and user data plugin <= 1.2.0 - Broken Access Control vulnerability
CVE-2023-31073

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Display Custom Fields In The Frontend – Post And User Profile Fields
Vendor: CVE Published:; 9 December 2024

Summary

A vulnerability exists in the Jose Vega Display Custom Fields plugin for WordPress, which allows attackers to exploit incorrectly configured access control security levels. This missing authorization issue can lead to unauthorized access to sensitive data displayed on the frontend, specifically in post and user profile fields. Users utilizing versions of this plugin from its initial release up to and including version 1.2.0 are particularly at risk. Proper security configurations and updates are crucial to mitigate this vulnerability and protect user data effectively.

Affected Version(s)

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.0

References

https://patchstack.com/database/wordpress/plugin/shortcod...

vdb-entry

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 9, 2024
Vulnerability Reserved
Apr 24, 2023

Credit

Yuki Haruma (Patchstack Alliance)