Improper Control of Generation of Code ('Code Injection') Vulnerability Affects Advanced Custom Fields PRO
CVE-2024-34761
8.5HIGH
Key Information:
- Vendor
- WPengine Inc
- Status
- Advanced Custom Fields Pro
- Vendor
- CVE Published:
- 10 June 2024
Summary
A vulnerability has been identified in WPENGINE INC's Advanced Custom Fields PRO plugin, allowing for improper control over the generation of code, referred to as Code Injection. This security risk can affect the integrity and security of web applications utilizing versions of Advanced Custom Fields PRO up until 6.2.10. The vulnerability was discovered during a systematic security audit, highlighting a significant area of concern for developers and users relying on this plugin as it may permit unauthorized execution of code, compromising the application.
Affected Version(s)
Advanced Custom Fields PRO < 6.2.10
References
CVSS V3.1
Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
WPEngine
Patchstack