CVE-2023-6996: 
WordPress vulnerability analysis and mitigation

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress contains a Code Injection vulnerability (CVE-2023-6996) discovered in versions up to and including 1.2.1. The vulnerability was publicly disclosed on February 5, 2024, and received a CVSS v3.1 base score of 8.8 (High) (Wordfence).

The vulnerability exists in the plugin's vg_display_data shortcode due to insufficient input validation and restriction on access. The issue is classified as CWE-94 (Improper Control of Generation of Code) and allows for code injection attacks. The vulnerability has received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential (NVD).

The vulnerability enables authenticated attackers with contributor-level permissions or higher to call arbitrary functions and execute code on the affected WordPress installations. This could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected systems (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 1.3.0 or later of the Display custom fields in the frontend – Post and User Profile Fields plugin (WordPress Plugin).