CVE-2024-4565: 
WordPress vulnerability analysis and mitigation

The Advanced Custom Fields (ACF) WordPress plugin before version 6.3 and Advanced Custom Fields Pro WordPress plugin before version 6.3 contain a security vulnerability that was discovered on May 30, 2024. The vulnerability allows users with contributor-level access to display custom field values for any post via shortcode without proper access control verification (WPScan Advisory).

The vulnerability is classified as an Access Control issue (CWE-284) with a CVSS v3.1 base score of 6.5 (Medium) according to NVD, and 7.5 (High) according to CISA-ADP. The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating that it can be exploited over the network with low attack complexity, requires low privileges, and can result in high impact to integrity (NVD Database).

The vulnerability allows contributors to access and display custom field values from any post, including private, password-protected, draft, and trashed posts, as well as options page content. This represents a significant breach of access controls as it enables unauthorized access to potentially sensitive information stored in custom fields (WPScan Advisory).

The vulnerability has been fixed in version 6.3 of both the Advanced Custom Fields and Advanced Custom Fields Pro plugins. Users are strongly advised to update to version 6.3 or later to address this security issue (WPScan Advisory).