What the vulnerability does
01Description
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
CVSS base score
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
What the vulnerability does
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
Explanation of Vulnerability in Simple Terms
Advanced Custom Fields contains a code injection vulnerability affecting versions prior to 6.4.3. An authenticated user with high privileges can inject code through a crafted request, but the user must interact with a specific page or link for the injection to execute. The vulnerability has limited integrity impact and does not affect confidentiality or availability.
What an attacker can do
Inject and execute code within the site's context with the privileges of the authenticated user.
Potential impact on your site
A compromised admin account could inject malicious code, potentially modifying site content or behavior, though data theft and downtime are unlikely.
Conditions required to exploit
Attacker must be authenticated with high-level privileges (e.g., administrator) and the victim must interact with a malicious link or page.
Key dates
External resources
Related vulnerabilities