Insecure Direct Object Reference in Display Custom Fields Plugin for WordPress
CVE-2023-6983

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Display Custom Fields In The Frontend – Post And User Profile Fields
Vendor: CVE Published:; 5 February 2024

Summary

The Display Custom Fields plugin for WordPress is susceptible to an Insecure Direct Object Reference vulnerability in its vg_display_data shortcode. This flaw arises from inadequate validation of user-controlled input, allowing authenticated users with contributor-level access and higher to potentially access sensitive post meta information. This vulnerability underscores the importance of robust input validation practices in web applications to mitigate unauthorized data access risks.

Affected Version(s)

Display custom fields in the frontend – Post and User Profile Fields * <= 1.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 5, 2024
Vulnerability Reserved
Dec 20, 2023

Credit

Francesco Carlucci