CVE-2023-6983: 
WordPress vulnerability analysis and mitigation

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2023-6983) affecting all versions up to and including 1.2.1. The vulnerability was discovered in January 2024 and publicly disclosed on February 5, 2024. This security issue affects the plugin's vg_display_data shortcode functionality (NVD).

The vulnerability stems from missing validation on a user-controlled key in the vg_display_data shortcode implementation. The issue has been classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has received a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to retrieve potentially sensitive post meta data from the WordPress installation (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 1.3.0 or later of the Display custom fields in the frontend – Post and User Profile Fields plugin (WordPress Plugin).