Home > Vulnerability Database > CVE-2018-20986

Mend.io Vulnerability Database

CVE-2018-20986

Good to know:

Date: August 22, 2019

The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.

Language: PHP

Severity Score

5.4

Related Resources (6)

Url: https://www.advancedcustomfields.com/blog/acf-5-7-8-release/

Url: https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-plugin-xss.html

Url: https://wordpress.org/plugins/advanced-custom-fields/#developers

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-20986

Url: https://www.advancedcustomfields.com/changelog/

Url: https://www.mend.io/vulnerability-database/CVE-2018-20986

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version helsingborg-stad/student-council-protocols-theme - dev-dependabot/npm_and_yarn/follow-redirects-1.14.8;helsingborg-stad/student-council-protocols-theme - no_fix;helsingborg-stad/student-council-protocols-theme - dev-dependabot/npm_and_yarn/ajv-6.12.6;helsingborg-stad/student-council-protocols-theme - 1.0.7;helsingborg-stad/student-council-protocols-theme - 1.0.14;helsingborg-stad/modularity - dev-3.0/fix/modal-btn-open-same-modal;helsingborg-stad/modularity - 3.0.0;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/ua-parser-js-and-browser-sync-1.0.34;helsingborg-stad/modularity - dev-feature/update-translations;helsingborg-stad/modularity - dev-3.0/feature/subscribe;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/node-forge-1.3.0;helsingborg-stad/modularity - dev-feature/Mjlighet-att-visa-utdrag-p-inlgg-CU-865cabt96;helsingborg-stad/modularity - dev-feature/3.0/expandable-list-columns;helsingborg-stad/modularity - dev-3.0/feature/tags-styling;helsingborg-stad/modularity - dev-feature/3.0/edit-modules-block-editor;helsingborg-stad/modularity - dev-fix/only-allow-1-100-in-post-module;helsingborg-stad/modularity - dev-feature/3.0/filterable-modules;helsingborg-stad/modularity - dev-hoftix/disable-autodetect-lang;helsingborg-stad/modularity - dev-3.0/feature/contacts-no-image;helsingborg-stad/modularity - dev-3.0/feature/slider-border-removed-2;helsingborg-stad/modularity - dev-3.0/feature/block-compatability;helsingborg-stad/modularity - dev-feat/add-custom-meta-key-for-private-post-sorting;helsingborg-stad/modularity - dev-feature/fix-hero-module;helsingborg-stad/modularity - dev-3.0/develop-temp-stable-revert;helsingborg-stad/modularity - dev-feature/removeRestrictiveOptionsFeature;helsingborg-stad/modularity - dev-3.0/feature/innovation-post-slider-module;helsingborg-stad/modularity - dev-3.0/feature/module-blocks;helsingborg-stad/modularity - dev-feature/Inlggs-modul-visar-inte-bild-som-lggs-in-i-betonat-strre-frsta-inlgg-d-man-anvnder-manuell-inmatning-2-CU-865c5p2mp;helsingborg-stad/modularity - dev-3.0/feature/onepage;helsingborg-stad/modularity - dev-feature/notice-use-new-title-paramter;helsingborg-stad/modularity - dev-feature/3.0/slider-focal-point;helsingborg-stad/modularity - dev-3.0/feature/modules-municipio;helsingborg-stad/modularity - dev-3.0/feature/video-iframe;helsingborg-stad/modularity - dev-3.0/feature/module-use-iframe-component;helsingborg-stad/modularity - dev-3.0/feature/post-module-placeholder-image-for-all-views;helsingborg-stad/modularity - dev-feature/script-validation;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/tar-2.2.2;helsingborg-stad/modularity - dev-3.0/feature/temporary-validate-required;helsingborg-stad/modularity - dev-feature/Bara-vissa-poster-fr-c-card--svg-background-nr-emblem-visas-som-utvald-bild-cards-CU-865c44xv1;helsingborg-stad/modularity - dev-dependabot/npm_and_yarn/word-wrap-1.2.4;helsingborg-stad/modularity - dev-3.0/feature/webpack-cleanup;helsingborg-stad/modularity - dev-test/further-testing-taxonomy-filtering;helsingborg-stad/modularity - dev-feature/3.0/news-item-fallback-2-index;helsingborg-stad/modularity - dev-feature/3.0/wp-objects;helsingborg-stad/modularity - dev-mybranch;helsingborg-stad/modularity - dev-feature/3.0/postmodule-expandable-list-titles;helsingborg-stad/modularity - dev-3.0/feature/notice-for-empty-block-CU-3g59yyr;helsingborg-stad/modularity - dev-feature/modularity-typescript;helsingborg-stad/modularity - dev-3.0/feature/collection-as-posts;helsingborg-stad/modularity - dev-3.0/feature/slider-alt-text;helsingborg-stad/modularity - dev-feature/improve-slider;helsingborg-stad/modularity - dev-3.0/feature/scripts-defer;helsingborg-stad/modularity - dev-feature/gutenberg-script-module;helsingborg-stad/modularity - dev-feature/divider-duplicated-titles;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.7;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.16.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.18;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.23;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.27;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.16;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.27.0;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.11;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.23.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.40;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.6;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.9;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.27;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.12;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.33.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.15.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.20.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.17.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.24.4;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.7;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.34;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.12.8;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.41;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.30.2;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.28;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.37;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.12;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.39;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.37;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.29.3;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.28.2;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.32;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.14.6;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.13.16;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.1;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.22.14;helsingborg-stad/hbg-trend-omvarlds-analys-2021 - 1.19.23;helsingborg-stad/municipio - dev-dependabot/npm_and_yarn/follow-redirects-1.14.8;helsingborg-stad/municipio - dev-misc;helsingborg-stad/municipio - 1.13.23;helsingborg-stad/municipio - 1.19.2;helsingborg-stad/municipio - dev-fet/postIconResolver;helsingborg-stad/municipio - dev-docs/feature-prompt;helsingborg-stad/municipio - dev-feature/versttning---ta-bort-versttning-p-titel-i-place-CU-865cd675z;helsingborg-stad/municipio - dev-fix/trigger-acf-init-twice;helsingborg-stad/municipio - dev-feature/add-symfony-polyfill-php80;helsingborg-stad/municipio - 1.24.2;helsingborg-stad/municipio - dev-feature/translation-helpers;helsingborg-stad/municipio - dev-feature/enitity-decode-tags;helsingborg-stad/municipio - dev-feature/Cover-art-fr-videos-i-acceptance-CU-3ymrp06;helsingborg-stad/municipio - dev-feature/skip-to-main;helsingborg-stad/municipio - dev-feature/Ej-publicerade-sidor-i-breadcrumb-r-klickbara-Leder-till-en-404a-CU-8694jtjhm;helsingborg-stad/municipio - 1.22.3;helsingborg-stad/municipio - 1.67.3;helsingborg-stad/municipio - dev-feature/BUGG-Fel-p-url-vid-paginering-av-secondaryQuery-CU-865c1bjk8;helsingborg-stad/municipio - dev-feature/killing-the-code;helsingborg-stad/municipio - dev-feature/s3-file-management;helsingborg-stad/municipio - dev-test/customizer;20steps/alexa - v1.0.2;brunojbela/gulp-framework - no_fix;ptibbetts/allusion - v1.0.0;ptibbetts/allusion - no_fix;ycms/framework - v5.1.0;abetter/wordpress - dev-dependabot/npm_and_yarn/plugins/wpml-translation-management/libraries/CodeMirror/minimist-1.2.8;abetter/wordpress - dev-dependabot/npm_and_yarn/plugins/wpml-translation-management/libraries/CodeMirror/minimist-1.2.6;abetter/wordpress - 1.2.40;ycms/advanced-custom-fields - no_fix;elliotcondon/acf - 4.1.4;elliotcondon/acf - 4.4.11;elliotcondon/acf - no_fix;phoenixdigi/metabox - no_fix;newcool/acf - no_fix;genesii/wordpress - 0.1;namncn/pdfw-acf - no_fix;zalolorza/wordpress-theme-lib - no_fix

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-20986

Good to know:

Date: August 22, 2019

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?