Authenticated Attackers Can Expose Sensitive Post Metadata
CVE-2023-7049

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Custom Field For WP Job Manager
Vendor: CVE Published:; 16 August 2024

Summary

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cm_fieldshow' shortcode due to missing validation on the 'job_id' user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata.

Affected Version(s)

Custom Field For WP Job Manager * <= 1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3134344/cust...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2024
Vulnerability Reserved
Dec 21, 2023

Credit

Francesco Carlucci