CVE-2023-40068

moderate-risk
Published 2023-08-21

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

Do I need to act?

!
29.9% chance of exploitation in next 30 days
EPSS score — higher than 70% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Advanced Custom Fields
Advanced Custom Fields

Affected Vendors

Advancedcustomfields

References (8)

Third Party Advisory https://jvn.jp/en/jp/JVN98946408/
Product https://wordpress.org/plugins/advanced-custom-fields/
Product https://www.advancedcustomfields.com/
Release Notes https://www.advancedcustomfields.com/blog/acf-6-1-8/
Third Party Advisory https://jvn.jp/en/jp/JVN98946408/
Product https://wordpress.org/plugins/advanced-custom-fields/
Product https://www.advancedcustomfields.com/
Release Notes https://www.advancedcustomfields.com/blog/acf-6-1-8/
43
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 15/34 · Moderate
Exposure 7/34 · Low