CVSS Summary
| Score | 4.9 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | Single |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can
Vulnerability
Last revised:
This plugin allows users (who have permission to edit posts) to inject JavaScript into pages within /wp-admin/. This means a user can exceed their privileges by creating a script that causes an admin’s browser to perform an action, such as creating a new admin user, deleting all posts, etc.
Current state: Fixed
Proof of concept
- Add a new ACF field group
- Add a new table-type field to that field group
- Create a new post/page, wherever the field group is set to display
- Enter “<script>alert(1)</script>” into a field and save the post
- Visit the page again, and the injected JavaScript will be executed
Tested with ACF PRO v5. Not tested with v4.
Advisory timeline
- 2016-07-13: Discovered
- 2016-07-13: Reported to vendor by email
- 2016-07-13: Requested CVE
- 2016-07-13: Vendor’s autoresponder said they were unavailable until 1st August
- 2016-08-01: Vendor reported they were working on a fix
- 2016-08-01: Vendor reported issue fixed in 1.1.13
- 2016-08-08: Advisory published
Mitigation/further actions
Update to version 1.1.13 or later.