ACF WordPress Plugin Vulnerability Impacts Up To +2 Million Websites


Lacking authorization vulnerability …permits a distant authenticated attacker to view the knowledge on the database with out the entry permission. This sort of vulnerability permits an attacker to achieve entry to the positioning at ranges which can be ordinarily restricted to customers with admin privileges.

Superior Customized Fields (ACF) WordPress Plugin

The ACF WordPress plugin is a well-liked improvement device that permits builders so as to add customized fields to the Edit display in addition to to customise the sections for customers, posts, media and different areas.

The ACF device permits builders to increase WordPress themes in some ways, which explains why there are thousands and thousands of energetic installations.

Lacking Authorization Vulnerability

A lacking authorization vulnerability occurs when a software program like a WordPress plugin doesn’t examine for authorization of a consumer when accessing particular data.

This kind of vulnerability can result in publicity of delicate data and distant code execution assaults.

Distant Authenticated Attacker

This explicit vulnerability exploits a lacking authorization examine for customers who’ve some stage of authentication.

That implies that customers with not less than editor, writer or contributor stage of authentication can entry admin stage privilege with a purpose to view database data.

In accordance with probably the most present data from the Japan Pc Emergency Repsonse Staff Coordination Middle:

“WordPress Plugin “Superior Customized Fields” offered by Scrumptious Brains comprises a lacking authorization vulnerability…

Customers of this product (Editor, Creator, Contributor) might view the knowledge on the database with out the entry permission.”

The USA Nationwide Vulnerability Database has assigned it a CVE reference quantity, CVE-2022-23183

ACF Changelog

A changelog is a log detailing all of the adjustments in every model of a software program.

It’s troublesome to inform which of the adjustments detailed within the changelog are associated to fixing the vulnerability as a result of the ACF changelog doesn’t explicitly say that one thing is a safety repair, it simply labels them as a “Repair.”

The changelog for the ACF WordPress plugin doesn’t explicitly observe {that a} safety challenge was addressed.

A part of the ACF changelog merely states:

“Repair – ACF now validates entry to possibility web page subject values when accessing through subject keys the identical manner as subject names. View Extra
Repair – REST API now appropriately validates fields for POST replace requests”

The “View Extra” hyperlink results in an explainer on the ACF web site that claims:

“…Calls to get_field() or the_field() on non-ACF WordPress choices may also return null. Nonetheless, utilizing these capabilities to retrieve any put up, consumer or time period meta will return the worth, no matter if the meta is an ACF subject.

…In ACF 5.12.1, these restrictions now additionally appropriately apply when utilizing a subject key to entry an possibility worth, the identical as utilizing the sector identify.”
“Utilizing ACF Capabilities to Retrieve Information From Outdoors ACF.”

Superior Customized Fields Vulnerability is Patched

The ACF vulnerability impacts all variations previous to Superior Customized Fields 5.12.1 and Superior Customized Fields Professional 5.12.1.

The Japan Pc Emergency Response Staff Coordination Middle recommends all customers of the plugin to replace instantly to the ACF variations 5.12.1.


Please enter your comment!
Please enter your name here