Code Injection Vulnerability in Post and User Profile Fields Plugin for WordPress
CVE-2023-6996
8.8HIGH
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 5 February 2024
Summary
The Display Custom Fields in the frontend – Post and User Profile Fields plugin for WordPress contains a code injection vulnerability via the plugin's vg_display_data shortcode present in all versions up to 1.2.1. This vulnerability stems from inadequate input validation and a lack of access restrictions for the shortcode, allowing authenticated attackers with contributor-level permissions or higher to invoke arbitrary functions and execute malicious code, which can lead to unauthorized actions and potential compromises of the WordPress site.
Affected Version(s)
Display custom fields in the frontend – Post and User Profile Fields * <= 1.2.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Francesco Carlucci