CVE-2024-45429
Last modified
CVE-2024-45429 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wpengine | Advanced Custom Fields | <= 6.3.5 |
References
- https://jvn.jp/en/jp/JVN67963942/Third Party Advisory
- https://www.advancedcustomfields.com/blog/acf-6-3-6/Release Notes
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-45429?
How severe is CVE-2024-45429?
How do I fix CVE-2024-45429?
Are you affected by CVE-2024-45429?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST