CVE-2021-20866 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20866
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la obtención de la lista de usuarios que puede permitir a un usuario obtener la información no autorizada por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVE-2021-20865 – Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure
https://notcve.org/view.php?id=CVE-2021-20865
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. Advanced Custom Fields versiones anteriores a 5.11 y Advanced Custom Fields Pro versiones anteriores a 5.11, contienen una vulnerabilidad de falta de autorización en la navegación de la base de datos que puede permitir a un usuario navegar por datos no autorizados por medio de vectores no especificados • https://jvn.jp/en/jp/JVN09136401/index.html https://wordpress.org/plugins/advanced-custom-fields https://www.advancedcustomfields.com • CWE-862: Missing Authorization •
CVE-2021-24241 – Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24241
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. El plugin de WordPress Advanced Custom Fields Pro versiones anteriores a 5.9.1, no escapaba apropiadamente de la URL de actualización generada cuando la generaba en un atributo, conllevando un problema de tipo Cross-Site Scripting reflejado en la página de configuración de actualización • https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1 https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f https://www.advancedcustomfields.com/blog/acf-5-9-1-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36172 – Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36172
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. El plugin Advanced Custom Fields versiones anteriores a 5.8.12 para WordPress, maneja inapropiadamente el escape de cadenas en los menús desplegables Select2, lo que potencialmente conlleva a un ataque de tipo XSS • https://wordpress.org/plugins/advanced-custom-fields/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20986 – Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20986
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors. El plugin advanced-custom-fields (también conocido como Elliot Condon Advanced Custom Fields) en versiones anteriores a la 5.7.8 para WordPress tiene XSS por los autores. • https://wordpress.org/plugins/advanced-custom-fields/#developers https://www.advancedcustomfields.com/blog/acf-5-7-8-release https://www.advancedcustomfields.com/changelog https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-plugin-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •