Missing Authorization Vulnerability in Advanced Custom Fields PRO
CVE-2024-37249

4.3MEDIUM

Key Information:

Vendor: WPengine Inc.
Status: Advanced Custom Fields Pro
Vendor: CVE Published:; 1 November 2024

Summary

A missing authorization vulnerability exists in the Advanced Custom Fields PRO plugin by WPEngine Inc., allowing attackers to exploit incorrectly configured access control security levels. This flaw can potentially grant unauthorized access to sensitive functionalities, impacting user security and data integrity. Users are advised to verify their plugin version and apply necessary updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

Advanced Custom Fields PRO <= 6.3.1

References

https://patchstack.com/database/vulnerability/advanced-cu...

vdb-entry

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Jun 4, 2024

Credit

Rafie Muhammad (Patchstack)