CVE-2024-3562

The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code on the server.
Configurations

Configuration 1 (hide)

cpe:2.3:a:custom_field_suite_project:custom_field_suite:*:*:*:*:*:wordpress:*:*

History

15 Jul 2024, 16:49

Type Values Removed Values Added
CWE CWE-94
First Time Custom Field Suite Project
Custom Field Suite Project custom Field Suite
CPE cpe:2.3:a:custom_field_suite_project:custom_field_suite:*:*:*:*:*:wordpress:*:*
References () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L192 - () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L192 - Product
References () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L224 - () https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L224 - Product
References () https://mgibbs189.github.io/custom-field-suite/field-types/loop.html - () https://mgibbs189.github.io/custom-field-suite/field-types/loop.html - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd7b788-03a0-41a4-96f2-cfca74ef281b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd7b788-03a0-41a4-96f2-cfca74ef281b?source=cve - Third Party Advisory

20 Jun 2024, 12:43

Type Values Removed Values Added
Summary
  • (es) El complemento Custom Field Suite para WordPress es vulnerable a la inyección de código PHP en todas las versiones hasta la 2.6.7 incluida a través del campo personalizado Loop. Esto se debe a una limpieza insuficiente de la entrada antes de usarla en una llamada a la función eval(). Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, ejecuten código PHP arbitrario en el servidor.

20 Jun 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-20 02:15

Updated : 2024-07-15 16:49


NVD link : CVE-2024-3562

Mitre link : CVE-2024-3562

CVE.ORG link : CVE-2024-3562


JSON object : View

Products Affected

custom_field_suite_project

  • custom_field_suite
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')