CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-2594 – Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
https://notcve.org/view.php?id=CVE-2022-2594
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. El plugin Advanced Custom Fields de WordPress versiones anteriores a 5.12.3, Advanced Custom Fields Pro WordPress plugin versiones anteriores a 5.12.3 permite a usuarios no autenticados subir archivos permitidos en una configuración predeterminada de WP (por lo que no es posible PHP) si se presenta un formulario de frontend disponible. Esta vulnerabilidad fue introducida en la reescritura 5.0 y no existía antes de esa versión. The Advanced Custom Fields plugin for WordPress has a file upload vulnerability in versions up to, and including, 5.12.2. • https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23183 – Advanced Custom Fields <= 5.12 - Authenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2022-23183
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. Una vulnerabilidad de falta de autorización en Advanced Custom Fields versiones anteriores a 5.12.1 y en Advanced Custom Fields Pro versiones anteriores a 5.12.1, permite a un atacante remoto autenticado visualizar la información de la base de datos sin el permiso de acceso The Advanced Custom Fields plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 5.12. This makes it possible for authenticated attackers with editor access, such as Contributors and above, to view information in the database without the appropriate authorization. • https://jvn.jp/en/jp/JVN42543427/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20867 – Advanced Custom Fields <= 5.10 - Missing Authorization on Option Changes
https://notcve.org/view.php?id=CVE-2021-20867
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro versiones anteriores a 5.11, contienen una vulnerabilidad de falta de autorización al mover el grupo de campos que puede permitir a un usuario mover el grupo de campos no autorizado por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20866 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20866
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la obtención de la lista de usuarios que puede permitir a un usuario obtener la información no autorizada por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20865 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20865
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro versiones anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la navegación de la base de datos que puede permitir a un usuario navegar por datos no autorizados por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •