Vulnerabilities > CVE-2021-24241 - Unspecified vulnerability in Advancedcustomfields Advanced Custom Fields 5.8.13/5.8.14/5.9.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
References
- https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1
- https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1
- https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f
- https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f
- https://www.advancedcustomfields.com/blog/acf-5-9-1-release/
- https://www.advancedcustomfields.com/blog/acf-5-9-1-release/