CVE-2024-45429 — Cross-site Scripting in Advanced Custom Fields

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.5%

top 32.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpengine Advanced Custom Fields WP Engine Advanced Custom Fields WP Engine Advanced Custom Fields PRO

Timeline

PublishedSep 4

Latest updateSep 5

Description

Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDwpengine/advanced_custom_fields6.3.5

▶CVEListV5wp_engine/advanced_custom_fields6.3.5 and earlier

▶CVEListV5wp_engine/advanced_custom_fields_pro6.3.5 and earlier

🔴Vulnerability Details

GHSA

GHSA-h827-7423-x2vc: Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6↗2024-09-05

▶

CVEList

CVE-2024-45429: Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6↗2024-09-04

▶