The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:44
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3021133%40shortcode-to-display-post-and-user-data&new=3021133%40shortcode-to-display-post-and-user-data&sfp_email=&sfph_mail= - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/e0662c3a-5b82-4b9a-aa69-147094930d1f?source=cve - Patch, Third Party Advisory |
13 Feb 2024, 16:11
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3021133%40shortcode-to-display-post-and-user-data&new=3021133%40shortcode-to-display-post-and-user-data&sfp_email=&sfph_mail= - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/e0662c3a-5b82-4b9a-aa69-147094930d1f?source=cve - Patch, Third Party Advisory | |
CWE | CWE-94 | |
First Time |
Vegacorp display Custom Fields In The Frontend - Post And User Profile Fields
Vegacorp |
|
CPE | cpe:2.3:a:vegacorp:display_custom_fields_in_the_frontend_-_post_and_user_profile_fields:*:*:*:*:*:wordpress:*:* | |
Summary |
|
05 Feb 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-05 22:15
Updated : 2024-11-21 08:44
NVD link : CVE-2023-6996
Mitre link : CVE-2023-6996
CVE.ORG link : CVE-2023-6996
JSON object : View
Products Affected
vegacorp
- display_custom_fields_in_the_frontend_-_post_and_user_profile_fields
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')