Arbitrary Function Execution Through Setting Import
CVE-2024-9529
Key Information:
- Vendor
- Secure Custom Fields WordPress plugin
- Status
- Secure Custom Fields
- Advanced Custom Fields Pro
- Vendor
- CVE Published:
- 15 November 2024
Badges
Summary
The Secure Custom Fields and Advanced Custom Fields Pro plugins for WordPress exhibit a significant vulnerability that enables high privilege users, particularly administrators, to execute arbitrary PHP functions through the plugins' setting import functionalities. This oversight allows for potential exploitation, where unauthorized actions can be initiated, raising considerable security concerns for users utilizing these plugins.
Affected Version(s)
Advanced Custom Fields Pro 0 < 6.3.9
Secure Custom Fields 6.3.7 < 6.3.9
Secure Custom Fields 0 < 6.3.6.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved