CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20866 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20866
02 Dec 2021 — Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la obtención de la lista de usuarios que puede permitir a un usuario obtener la información no a... • https://jvn.jp/en/jp/JVN09136401/index.html • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20865 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20865
02 Dec 2021 — Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro versiones anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la navegación de la base de datos que puede permitir a un usuario navegar por datos no autorizados por ... • https://jvn.jp/en/jp/JVN09136401/index.html • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24241 – Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24241
20 Jan 2021 — The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. El plugin de WordPress Advanced Custom Fields Pro versiones anteriores a 5.9.1, no escapaba apropiadamente de la URL de actualización generada cuando la generaba en un atributo, conllevando un problema de tipo Cross-Site Scripting reflejado en la página de configuración de actualización • https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36172 – Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36172
10 Jun 2020 — The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. El plugin Advanced Custom Fields versiones anteriores a 5.8.12 para WordPress, maneja inapropiadamente el escape de cadenas en los menús desplegables Select2, lo que potencialmente conlleva a un ataque de tipo XSS • https://wordpress.org/plugins/advanced-custom-fields/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20986 – Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20986
07 Dec 2018 — The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors. El plugin advanced-custom-fields (también conocido como Elliot Condon Advanced Custom Fields) en versiones anteriores a la 5.7.8 para WordPress tiene XSS por los autores. • https://wordpress.org/plugins/advanced-custom-fields/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •