Improper Control of Generation of Code ('Code Injection') Vulnerability Affects Advanced Custom Fields PRO
CVE-2024-34761

8.5HIGH

Key Information:

Vendor
WPengine Inc
Status
Advanced Custom Fields Pro
Vendor
CVE Published:
10 June 2024

Summary

A vulnerability has been identified in WPENGINE INC's Advanced Custom Fields PRO plugin, allowing for improper control over the generation of code, referred to as Code Injection. This security risk can affect the integrity and security of web applications utilizing versions of Advanced Custom Fields PRO up until 6.2.10. The vulnerability was discovered during a systematic security audit, highlighting a significant area of concern for developers and users relying on this plugin as it may permit unauthorized execution of code, compromising the application.

Affected Version(s)

Advanced Custom Fields PRO < 6.2.10

References

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

WPEngine
Patchstack
.