PT-2024-33558 · WordPress · Advanced Custom Fields Pro+1
Duc Luong Tran
+1
·
Published
2024-10-16
·
Updated
2024-11-18
·
CVE-2024-49593
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Advanced Custom Fields (ACF) versions prior to 6.3.9
Secure Custom Fields versions prior to 6.3.6.3
Description
The issue allows for the execution of a stored XSS payload when using the Field Group editor to edit one of the plugin's fields in Advanced Custom Fields (ACF) and Secure Custom Fields for WordPress.
Recommendations
For Advanced Custom Fields (ACF) versions prior to 6.3.9, update to version 6.3.9 or later.
For Secure Custom Fields versions prior to 6.3.6.3, update to version 6.3.6.3 or later.
As a temporary workaround, consider restricting access to the Field Group editor until a patch is applied.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Advanced Custom Fields Pro
Secure Custom Fields