Description

WordPress Plugin Advanced Custom Fields PRO is prone to multiple security bypass vulnerabilities. Exploiting these issues may allow attackers to perform otherwise restricted actions and subsequently browse unauthorized data on the database, or move field groups. WordPress Plugin Advanced Custom Fields PRO version 5.10 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 5.11 or latest

References

https://jvn.jp/en/jp/JVN09136401/index.html

https://www.advancedcustomfields.com/blog/acf-5-11-release-rest-api/

Related Vulnerabilities

Resin Application Server Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-2966)

WordPress Plugin Wordfence Security-Firewall & Malware Scan Cross-Site Scripting (3.8.6)

ownCloud Other Vulnerability (CVE-2013-1851)

WordPress Plugin All-in-One WP Migration Security Bypass (2.0.4)

Dolibarr Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2021-25957)

Severity

High

Classification

CVE-2021-20865 CVE-2021-20866 CVE-2021-20867 CWE-862 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass