Arbitrary PHP Code Execution Vulnerability in Custom Field Suite for WordPress
CVE-2024-3562

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Custom Field Suite
Vendor
CVE Published:
20 June 2024

Summary

The Custom Field Suite plugin for WordPress presents a vulnerability that allows PHP code injection through the Loop custom field. This issue arises from inadequate sanitization of user input, specifically prior to its use in the eval() function. Attackers with authenticated access at the contributor level or above can exploit this vulnerability to execute arbitrary PHP code on the server. This could lead to unauthorized access, data corruption, or further security incidents. It is crucial for users utilizing affected versions to apply necessary updates to mitigate these security risks.

Affected Version(s)

Custom Field Suite * <= 2.6.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/mgibbs189/custom-field-suite/blob/963d...
https://github.com/mgibbs189/custom-field-suite/blob/963d...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jack Taylor
.