CVE-2023-7286

MEDIUM EXPLOITED

ACF Quick Edit Fields <3.2.2 - Info Disclosure

Title source: llm

Description

The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields&old=2816195%40acf-quickedit-fields#file89

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5954bdc0-09e9-4691-95ff-02f7304514c9?source=cve

Third Party Advisory

https://wpscan.com/vulnerability/3538e80e-c2c5-4e7b-97c3-b7debad7a136

Scores

CVSS v3 6.5

EPSS 0.0105

EPSS Percentile 77.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2024-10-15

CWE

CWE-639

Status published

Products (1)

podpirate/ACF Quick Edit Fields < 3.2.2

Published Oct 16, 2024

Tracked Since Feb 18, 2026