CVE-2024-49593

In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wordpress.org/plugins/advanced-custom-fields/#developers
https://www.advancedcustomfields.com/blog/installing-and-upgrading-to-the-latest-version-of-acf/
https://www.advancedcustomfields.com/changelog/
https://x.com/wp_acf/status/1845190372764401908

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-17 04:15

Updated : 2024-11-18 19:35

NVD link : CVE-2024-49593

Mitre link : CVE-2024-49593

CVE.ORG link : CVE-2024-49593

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-49593", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-10-17T04:15:03.440", "references": [{"url": "https://wordpress.org/plugins/advanced-custom-fields/#developers", "source": "cve@mitre.org"}, {"url": "https://www.advancedcustomfields.com/blog/installing-and-upgrading-to-the-latest-version-of-acf/", "source": "cve@mitre.org"}, {"url": "https://www.advancedcustomfields.com/changelog/", "source": "cve@mitre.org"}, {"url": "https://x.com/wp_acf/status/1845190372764401908", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below."}, {"lang": "es", "value": "En Advanced Custom Fields (ACF) anterior a la versi\u00f3n 6.3.9 y Secure Custom Fields anterior a la versi\u00f3n 6.3.6.3 (complementos para WordPress), el uso del editor de grupos de campos para editar uno de los campos del complemento puede provocar la ejecuci\u00f3n de un payload XSS almacenado. NOTA: si desea utilizar el mecanismo de actualizaci\u00f3n alternativo de WP Engine para la versi\u00f3n gratuita de ACF, puede seguir el proceso que se muestra en la URL del blog advancedcustomfields.com dentro de la secci\u00f3n Referencias a continuaci\u00f3n."}], "lastModified": "2024-11-18T19:35:04.960", "sourceIdentifier": "cve@mitre.org"}