PT-2022-9474 · WordPress · Custom Content Shortcode

Francesco Carlucci

Published

2022-03-07

Updated

2022-04-12

CVE-2021-24824

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Custom Content Shortcode WordPress plugin versions prior to 4.0.1

Description The issue allows authenticated users with a role as low as contributor to access arbitrary post metadata, potentially leading to sensitive data disclosure. For example, when used in combination with WooCommerce, it can be used to retrieve the email address of orders.

Recommendations For versions prior to 4.0.1, update to version 4.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the field shortcode to higher roles until the update is applied.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2021-24824

Affected Products

Custom Content Shortcode

PT-2022-9474 · WordPress · Custom Content Shortcode

CVE-2021-24824

Weakness Enumeration

Related Identifiers

Affected Products

References · 3