8.5

CVE-2024-34761

Wordpress Advanced Custom Fields Pro plugin < 6.2.10 - Contributor+ Arbitrary Function Execution vulnerability

Advanced Custom Fields Pro <= 6.2.9 - Authenticated (Contributor+) Code Injection

Vulnerability discovered by executing a planned security audit.

Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.
Mögliche Gegenmaßnahme
Advanced Custom Fields Pro: Update to version 6.2.10, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
Herstelleradvancedcustomfields
Produkt advanced_custom_fields
Default Statusunaffected
Version 0
Version < 6.2.10
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Advanced Custom Fields Pro
Version *-6.2.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.43% 0.341
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
audit@patchstack.com 8.5 1.8 6
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-arbitrary-function-execution-vulnerability?_s_id=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/2923afdd-36b7-4181-aade-d757a70a06c0
Third Party Advisory