Code Injection Vulnerability in Post and User Profile Fields Plugin for WordPress
CVE-2023-6996
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 5 February 2024
What is CVE-2023-6996?
The Display Custom Fields in the frontend – Post and User Profile Fields plugin for WordPress contains a code injection vulnerability via the plugin's vg_display_data shortcode present in all versions up to 1.2.1. This vulnerability stems from inadequate input validation and a lack of access restrictions for the shortcode, allowing authenticated attackers with contributor-level permissions or higher to invoke arbitrary functions and execute malicious code, which can lead to unauthorized actions and potential compromises of the WordPress site.
Affected Version(s)
Display custom fields in the frontend – Post and User Profile Fields * <= 1.2.1