CVE-2021-24241 – Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24241
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. El plugin de WordPress Advanced Custom Fields Pro versiones anteriores a 5.9.1, no escapaba apropiadamente de la URL de actualización generada cuando la generaba en un atributo, conllevando un problema de tipo Cross-Site Scripting reflejado en la página de configuración de actualización • https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1 https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f https://www.advancedcustomfields.com/blog/acf-5-9-1-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36172 – Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36172
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. El plugin Advanced Custom Fields versiones anteriores a 5.8.12 para WordPress, maneja inapropiadamente el escape de cadenas en los menús desplegables Select2, lo que potencialmente conlleva a un ataque de tipo XSS • https://wordpress.org/plugins/advanced-custom-fields/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20986 – Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20986
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors. El plugin advanced-custom-fields (también conocido como Elliot Condon Advanced Custom Fields) en versiones anteriores a la 5.7.8 para WordPress tiene XSS por los autores. • https://wordpress.org/plugins/advanced-custom-fields/#developers https://www.advancedcustomfields.com/blog/acf-5-7-8-release https://www.advancedcustomfields.com/changelog https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-plugin-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9479 – ACF Frontend Display <= 2.0.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2015-9479
The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php. El plugin ACF-Frontend-Display hasta el 03-07-2015 para WordPress, presenta una carga arbitraria de archivos por medio de una petición action=upload en el archivo js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php. The ACF-Frontend-Display plugin through 2.0.6 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php. • https://packetstormsecurity.com/files/132590 • CWE-434: Unrestricted Upload of File with Dangerous Type •