CVE-2023-7286

Published: Oct 16, 2024Modified: Oct 16, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security@wordfence.com (Secondary)

Description

The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields&old=2816195%40acf-quickedit-fields#file89

Source: security@wordfence.com

https://wpscan.com/vulnerability/3538e80e-c2c5-4e7b-97c3-b7debad7a136

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/5954bdc0-09e9-4691-95ff-02f7304514c9?source=cve

Source: security@wordfence.com

Timeline

No history available yet.