CVE-2024-6167: 
WordPress vulnerability analysis and mitigation

The Just Custom Fields plugin for WordPress contains a vulnerability (CVE-2024-6167) due to missing capability checks on several AJAX functions in versions up to and including 3.3.2. This security issue was discovered and reported, leading to the plugin being closed on July 8, 2024 (WordPress Plugin, NVD Database).

The vulnerability stems from insufficient capability checks on multiple AJAX functions within the plugin. This security flaw allows authenticated users with Subscriber-level access or higher to access functionality intended only for administrative users. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Wordfence Intel).

The vulnerability enables authenticated attackers with Subscriber-level privileges to perform unauthorized administrative actions, including managing field groups and changing visibility settings of items. This represents a significant privilege escalation issue that could affect the integrity of the website's custom fields configuration (NVD Database).

Due to the security concerns, the plugin has been closed and is no longer available for download from the WordPress plugin repository as of July 8, 2024. Users are advised to remove the plugin from their WordPress installations and seek alternative solutions for custom fields functionality (WordPress Plugin).