CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40696 – WordPress Advanced Custom Fields Plugin 3.1.1-6.0.2 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2022-40696
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through 6.0.2. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en WP Engine Advanced Custom Fields (ACF). Este problema afecta a Advanced Custom Fields (ACF): desde 3.1.1 hasta 6.0.2. The Advanced Custom Fields plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 6.0.2. While the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, it may be possible with certain site configurations, that contributor-level users may extract sensitive user or configuration data. • https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-3-1-1-6-0-2-custom-field-value-exposure?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-2594 – Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
https://notcve.org/view.php?id=CVE-2022-2594
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. El plugin Advanced Custom Fields de WordPress versiones anteriores a 5.12.3, Advanced Custom Fields Pro WordPress plugin versiones anteriores a 5.12.3 permite a usuarios no autenticados subir archivos permitidos en una configuración predeterminada de WP (por lo que no es posible PHP) si se presenta un formulario de frontend disponible. Esta vulnerabilidad fue introducida en la reescritura 5.0 y no existía antes de esa versión. The Advanced Custom Fields plugin for WordPress has a file upload vulnerability in versions up to, and including, 5.12.2. • https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23183 – Advanced Custom Fields <= 5.12 - Authenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2022-23183
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. Una vulnerabilidad de falta de autorización en Advanced Custom Fields versiones anteriores a 5.12.1 y en Advanced Custom Fields Pro versiones anteriores a 5.12.1, permite a un atacante remoto autenticado visualizar la información de la base de datos sin el permiso de acceso The Advanced Custom Fields plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 5.12. This makes it possible for authenticated attackers with editor access, such as Contributors and above, to view information in the database without the appropriate authorization. • https://jvn.jp/en/jp/JVN42543427/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20867 – Advanced Custom Fields <= 5.10 - Missing Authorization on Option Changes
https://notcve.org/view.php?id=CVE-2021-20867
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro versiones anteriores a 5.11, contienen una vulnerabilidad de falta de autorización al mover el grupo de campos que puede permitir a un usuario mover el grupo de campos no autorizado por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20866 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20866
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la obtención de la lista de usuarios que puede permitir a un usuario obtener la información no autorizada por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •