Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for ACF Quick Edit Fields by podpirate

    CVE-2023-7286 (GCVE-0-2023-7286)

    Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2026-04-08 16:54
    VLAI
    Title
    ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference
    Summary
    The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    podpirate ACF Quick Edit Fields Affected: 0 , ≤ 3.2.2 (semver)
    Create a notification for this product.
    Credits
    Chris Grello
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7286",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:31:12.699782Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:05:43.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ACF Quick Edit Fields",
              "vendor": "podpirate",
              "versions": [
                {
                  "lessThanOrEqual": "3.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Grello"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:54:46.229Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5954bdc0-09e9-4691-95ff-02f7304514c9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields\u0026old=2816195%40acf-quickedit-fields#file89"
            },
            {
              "url": "https://wpscan.com/vulnerability/3538e80e-c2c5-4e7b-97c3-b7debad7a136"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2022-12-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ACF Quick Edit Fields \u003c= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-7286",
        "datePublished": "2024-10-16T06:43:32.686Z",
        "dateReserved": "2024-10-15T18:04:41.302Z",
        "dateUpdated": "2026-04-08T16:54:46.229Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-7286 (GCVE-0-2023-7286)

    Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2026-04-08 16:54
    VLAI
    Title
    ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference
    Summary
    The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    podpirate ACF Quick Edit Fields Affected: 0 , ≤ 3.2.2 (semver)
    Create a notification for this product.
    Credits
    Chris Grello
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-7286",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:31:12.699782Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:05:43.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ACF Quick Edit Fields",
              "vendor": "podpirate",
              "versions": [
                {
                  "lessThanOrEqual": "3.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Grello"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:54:46.229Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5954bdc0-09e9-4691-95ff-02f7304514c9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields\u0026old=2816195%40acf-quickedit-fields#file89"
            },
            {
              "url": "https://wpscan.com/vulnerability/3538e80e-c2c5-4e7b-97c3-b7debad7a136"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2022-12-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ACF Quick Edit Fields \u003c= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-7286",
        "datePublished": "2024-10-16T06:43:32.686Z",
        "dateReserved": "2024-10-15T18:04:41.302Z",
        "dateUpdated": "2026-04-08T16:54:46.229Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }