Medium severity4.3NVD Advisory· Published Mar 20, 2024· Updated Apr 15, 2026

CVE-2024-1995

Description

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private.

Patches

67cb6d75bd81

https://github.com/inc2734/smart-custom-fieldsvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/inc2734/smart-custom-fields/commit/67cb6d75bd8189668f721dbd2dc7a3036851be1bnvd
plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.phpnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/e966a266-4265-4a72-8a50-e872805219a7nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000