PT-2024-39679 · WordPress · Secure Custom Fields+1
Published
2024-10-06
·
Updated
2025-06-11
·
CVE-2024-9529
CVSS v3.1
6.6
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Secure Custom Fields WordPress plugin versions prior to 6.3.9
Advanced Custom Fields Pro WordPress plugin versions prior to 6.3.9
Description
The issue allows high privilege users, such as admins, to run arbitrary PHP functions through the setting import functionalities, which could lead to code injection. This could enable attackers to execute arbitrary code.
Recommendations
For Secure Custom Fields WordPress plugin versions prior to 6.3.9, upgrade to version 6.3.9 or later.
For Advanced Custom Fields Pro WordPress plugin versions prior to 6.3.9, upgrade to version 6.3.9 or later.
As a temporary workaround, consider restricting access to the setting import functionalities until a patch is applied.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Advanced Custom Fields Pro
Secure Custom Fields