Smart Custom Fields Vulnerability – Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure – CVE-2024-1995 | WordPress Plugin Vulnerability Report
Plugin Name: Smart Custom Fields
Key Information:
- Software Type: Plugin
- Software Slug: smart-custom-fields
- Software Status: Active
- Software Author: inc2734
- Software Downloads: 224,550
- Active Installs: 50,000
- Last Updated: March 19, 2024
- Patched Versions: 5.0.0
- Affected Versions: <= 4.2.2
Vulnerability Details:
- Name: Smart Custom Fields <= 4.2.2
- Title: Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CVE: CVE-2024-1995
- CVSS Score: 4.3
- Publicly Published: March 19, 2024
- Researcher: Lucio Sà
- Description: The Smart Custom Fields plugin for WordPress contains a vulnerability in versions up to and including 4.2.2, where a missing capability check in the relational_posts_search() function allows authenticated users with subscriber-level access or higher to view content from password-protected and private posts.
Summary:
The Smart Custom Fields plugin, widely utilized for adding custom fields to WordPress sites, was found to have a significant security flaw in versions up to 4.2.2, identified as CVE-2024-1995. This vulnerability allowed authenticated users with minimal permissions to bypass content restrictions and access sensitive post content. The issue has been resolved in the latest update, version 5.0.0.
Detailed Overview:
Discovered by researcher Lucio Sà, this vulnerability highlights a critical oversight in the plugin's security mechanisms. By failing to properly check user capabilities within the relational_posts_search() function, the plugin inadvertently exposed password-protected and private posts to unauthorized users. This breach not only posed a risk to data confidentiality but also emphasized the need for rigorous security practices in plugin development.
Advice for Users:
- Immediate Action: Users of the Smart Custom Fields plugin should immediately upgrade to version 5.0.0 to mitigate the risk posed by CVE-2024-1995.
- Check for Signs of Vulnerability: Site administrators are advised to review access logs for unusual activity that might indicate exploitation of this vulnerability and to audit the visibility settings of sensitive content.
- Alternate Plugins: While the vulnerability has been patched, users may consider evaluating other custom field plugins as alternatives to ensure a diverse and secure plugin ecosystem on their sites.
- Stay Updated: Maintaining the latest versions of all WordPress plugins is crucial for site security. Users should regularly check for updates and apply them promptly to protect against known vulnerabilities.
Conclusion:
The swift resolution of CVE-2024-1995 in the Smart Custom Fields plugin serves as a vital reminder of the ongoing challenges in maintaining web security. For WordPress site owners, particularly those managing sensitive content, staying vigilant and proactive in updating plugins is essential for safeguarding their digital assets. As the digital landscape continues to evolve, the commitment to security by both developers and users remains paramount in ensuring the integrity and trustworthiness of online platforms.
References:
- Wordfence Vulnerability Report on Smart Custom Fields
- Wordfence Threat Intel on Smart Custom Fields Vulnerabilities