Description
The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/7b4d4675-6089-4435-9b56-31496adc4767
Scores
CVSS v3
4.3
EPSS
0.0078
EPSS Percentile
51.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (1)
custom_content_shortcode_project/custom_content_shortcode
< 4.0.1
Published
Mar 07, 2022
Tracked Since
Feb 18, 2026