Description

WordPress Plugin Advanced Custom Fields (ACF) is prone to multiple security bypass vulnerabilities. Exploiting these issues may allow attackers to perform otherwise restricted actions and subsequently browse unauthorized data on the database, or move field groups. WordPress Plugin Advanced Custom Fields (ACF) version 5.10.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 5.11 or latest

References

https://jvn.jp/en/jp/JVN09136401/index.html

https://plugins.svn.wordpress.org/advanced-custom-fields/trunk/readme.txt

Related Vulnerabilities

Jboss EAP Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2021-3597)

PostgreSQL Other Vulnerability (CVE-2002-1398)

WordPress Plugin Media File Renamer-Auto & Manual Rename Cross-Site Request Forgery (5.2.5)

WordPress Plugin Amministrazione Trasparente Cross-Site Request Forgery (7.1)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-9479)

Severity

High

Classification

CVE-2021-20865 CVE-2021-20866 CVE-2021-20867 CWE-862 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass