2024-03-20 15:04:07 +00:00
{
"id" : "CVE-2024-1995" ,
"sourceIdentifier" : "security@wordfence.com" ,
"published" : "2024-03-20T02:15:08.500" ,
"lastModified" : "2024-03-20T13:00:16.367" ,
"vulnStatus" : "Awaiting Analysis" ,
2024-07-14 02:06:08 +00:00
"cveTags" : [ ] ,
2024-03-20 15:04:07 +00:00
"descriptions" : [
{
"lang" : "en" ,
"value" : "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private."
}
] ,
"metrics" : {
"cvssMetricV31" : [
{
"source" : "security@wordfence.com" ,
"type" : "Secondary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "LOW" ,
"userInteraction" : "NONE" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "NONE" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 4.3 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 2.8 ,
"impactScore" : 1.4
}
]
} ,
"references" : [
{
"url" : "https://github.com/inc2734/smart-custom-fields/commit/67cb6d75bd8189668f721dbd2dc7a3036851be1b" ,
"source" : "security@wordfence.com"
} ,
{
"url" : "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78" ,
"source" : "security@wordfence.com"
} ,
{
"url" : "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3052172%40smart-custom-fields&new=3052172%40smart-custom-fields&sfp_email=&sfph_mail=" ,
"source" : "security@wordfence.com"
} ,
{
"url" : "https://www.wordfence.com/threat-intel/vulnerabilities/id/e966a266-4265-4a72-8a50-e872805219a7?source=cve" ,
"source" : "security@wordfence.com"
}
]
}
