Vulnerabilities > CVE-2021-24872 - Incorrect Authorization vulnerability in GET Custom Field Values Project GET Custom Field Values

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

get-custom-field-values-project

CWE-863

NVD

Published: 2021-12-13

Updated: 2021-12-15

Summary

The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.

Vulnerable Configurations

Part	Description	Count
Application	Get_Custom_Field_Values_Project GET Custom Field Values Project GET Custom Field Values - GET Custom Field Values Project GET Custom Field Values 3.5 GET Custom Field Values Project GET Custom Field Values 3.6 GET Custom Field Values Project GET Custom Field Values 3.6.1 GET Custom Field Values Project GET Custom Field Values 3.7 GET Custom Field Values Project GET Custom Field Values 3.8 GET Custom Field Values Project GET Custom Field Values 3.9 GET Custom Field Values Project GET Custom Field Values 3.9.1 GET Custom Field Values Project GET Custom Field Values 3.9.2 GET Custom Field Values Project GET Custom Field Values 3.9.3 GET Custom Field Values Project GET Custom Field Values 3.9.4	11

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://wpscan.com/vulnerability/ec23734a-5ea7-4e46-aba9-3dee4e6dffb6