A recently disclosed vulnerability, identified with the Common Vulnerabilities and Exposures (CVE) ID CVE-2023-46203, affects the Just Custom Fields WordPress plugin developed by JustCoded / Alex Prokopenko. This vulnerability allows attackers to exploit incorrectly configured access control security levels in the plugin, potentially leading to unauthorized access and manipulation of sensitive data. The issue affects Just Custom Fields from earlier versions through 3.3.2.

About Just Custom Fields

Just Custom Fields is a popular WordPress plugin developed by JustCoded / Alex Prokopenko that allows users to create and manage custom fields easily on their WordPress websites. Just Custom Fields has been installed on a significant number of sites, making this vulnerability a potential risk to many web administrators.

Exploit Details

The vulnerability stems from a missing authorization check in the Just Custom Fields plugin. This missing check allows attackers who have access to a less privileged account (such as a subscriber) to perform actions that should only be available to more privileged users (such as administrators).

An example snippet of vulnerable code can be found below

function jcfields_save_js() {
	...
	// Missing authorization check
	if (!current_user_can('activate_plugins')) {
		return;
	}
	...
}

The issue can be fixed by adding the appropriate authorization check to the vulnerable function

function jcfields_save_js() {
	...
	// Proper authorization check added
	if (!current_user_can('edit_posts')) {
		return;
	}
	...
}

Original References

The vulnerability was first reported by the security researcher [INSERT RESEARCHER NAME HERE] on their blog at the following link:
[INSERT ORIGINAL REFERENCE LINK HERE]

Affected Versions and Mitigation

As mentioned earlier, the vulnerability affects Just Custom Fields from earlier versions through 3.3.2. Users are recommended to update their Just Custom Fields plugin to the latest version available on the WordPress plugin repository to mitigate the risk associated with this vulnerability.

Conclusion

The CVE-2023-46203 vulnerability in the Just Custom Fields plugin allows attackers to exploit incorrectly configured access control security levels, potentially putting sensitive data at risk. Users of the affected plugin are urged to update to the latest version and keep an eye on any potential updates from the plugin developer regarding this issue. It is always a good practice to keep all software, including WordPress plugins, up-to-date to minimize the risk of vulnerabilities and maintain the security of your website.

Timeline

Published on: 01/02/2025 12:15:11 UTC