CVE-2024-45429
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WP Engine | Advanced Custom Fields | 6.3.5 and earlier | affected |
| WP Engine | Advanced Custom Fields Pro | 6.3.5 and earlier | affected |
Weaknesses
- Cross-site scripting (XSS)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.advancedcustomfields.com/blog/acf-6-3-6/
- https://wordpress.org/plugins/advanced-custom-fields/
- https://www.advancedcustomfields.com/
- https://jvn.jp/en/jp/JVN67963942/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.