CVE-2021-24872 in Get Custom Field Values Plugin
Summary
by MITRE • 12/13/2021
The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2021
The CVE-2021-24872 vulnerability affects the Get Custom Field Values WordPress plugin version 3.9.3 and earlier, representing a critical access control flaw that undermines the fundamental security model of WordPress platforms. This vulnerability stems from insufficient permission validation within the plugin's metadata retrieval mechanisms, allowing users with minimal privileges to bypass normal access controls and obtain sensitive information from posts they should not be authorized to view. The issue specifically targets the Contributor user role, which typically has limited capabilities including the ability to create and edit their own posts, but should not have access to administrative content or metadata from other users' posts.
The technical flaw manifests in the plugin's failure to implement proper authorization checks when retrieving custom field values from posts. When a Contributor user makes a request to access metadata through the plugin's API endpoints, the system does not verify whether the requesting user has appropriate permissions to view the target post's metadata. This creates a direct path for privilege escalation where low-privilege users can access administrative content, including private posts, draft content, and sensitive custom field data that should remain restricted to administrators or editors. The vulnerability essentially allows for unauthorized information disclosure through the plugin's metadata access functions, which are designed to retrieve custom field values for posts.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable more sophisticated attacks and compromise the integrity of WordPress installations. Contributors who exploit this vulnerability can access private posts, draft content, and sensitive metadata that may contain confidential business information, personal data, or strategic content. This unauthorized access can lead to data breaches, intellectual property theft, and potential compliance violations depending on the nature of the accessed information. The vulnerability is particularly concerning because it affects a widely used plugin and allows users with minimal privileges to access content that should be restricted to higher-privilege roles, effectively undermining the role-based access control mechanisms that WordPress relies upon for security.
Organizations using the affected plugin version should immediately implement mitigations to address this vulnerability. The primary recommendation is to upgrade to plugin version 4.0 or later, which includes proper permission validation and access control checks. Additionally, administrators should conduct thorough audits of user roles and permissions to ensure that only authorized users have access to sensitive content. The vulnerability aligns with CWE-284, which describes improper access control, and represents a clear violation of the principle of least privilege. From an ATT&CK perspective, this vulnerability maps to privilege escalation techniques and information gathering phases, as attackers can use it to discover sensitive information and potentially move laterally within compromised systems. Organizations should also consider implementing additional monitoring and logging around plugin API endpoints to detect unauthorized access attempts and establish baseline behaviors for legitimate usage patterns.