The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.
History

Fri, 15 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpengine
Wpengine advanced Custom Field Pro
Wpengine advanced Custom Fields
CPEs cpe:2.3:a:wpengine:advanced_custom_field_pro:*:*:*:*:*:*:*:*
cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:*:*:*
Vendors & Products Wpengine
Wpengine advanced Custom Field Pro
Wpengine advanced Custom Fields
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 06:30:00 +0000

Type Values Removed Values Added
Description The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.
Title Secure Custom Fields < 6.3.6.3 - Admin+ Remote Code Execution
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-11-15T06:00:08.369Z

Updated: 2024-11-15T18:38:37.432Z

Reserved: 2024-10-04T15:01:44.589Z

Link: CVE-2024-9529

cve-icon Vulnrichment

Updated: 2024-11-15T18:37:23.068Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-15T07:15:17.900

Modified: 2024-11-15T19:35:19.160

Link: CVE-2024-9529

cve-icon Redhat

No data.