ACF On-The-Go v1.0.1 cause privilege escalation via acfg_update_fields()
CVE-2024-3071 Published on May 2, 2024
ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values.
Timeline
Disclosed
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-3071 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-3071
Want to know whenever a new CVE is published for WordPress Acf On The Go? stack.watch will email you.
Affected Versions
amaa ACF On-The-Go:- Before and including 1.0.1 is affected.
- Version -, <= 1.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.