ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites – Search Engine Journal


Missing authorization vulnerability …allows a remote authenticated attacker to view the information on the database without the access permission. This kind of vulnerability allows an attacker to attain access to the site at levels that are ordinarily restricted to users with admin privileges.

Advanced Custom Fields (ACF) WordPress Plugin

The ACF WordPress plugin is a popular development tool that allows developers to add custom fields to the Edit screen as well as to custom…….

Lacking authorization vulnerability …permits a distant authenticated attacker to view The information on the database with out the entry permission. This Sort of vulnerability permits an attacker To understand entry to The state of affairs at levels That are ordinarily restricted to clients with admin privileges.

Superior Custom-made Fields (ACF) WordPress Plugin

The ACF WordPress plugin Is A properly-appreciated enhancement system That permits builders So as to add custom areas to the Edit display As properly as to to customise the sections for clients, posts, media and completely different areas.

The ACF system permits builders To enhance WordPress themes in Some strategies, which explains why there are hundreds of hundreds of lively installations.

Lacking Authorization Vulnerability

A missing authorization vulnerability occurs when a Computer software like a WordPress plugin Does not look at for authorization of a consumer when entrying particular information.

This Sort of vulnerability can Finish in publicity of delicate information and distant code execution assaults.

Remote Authenticated Attacker

This particular vulnerability exploits a missing authorization look at for clients Who’ve some diploma of authentication.

That Signifies that clients with A minimal of editor, author or contributor diploma of authentication can entry admin diploma privilege So as to view database information.

Based mostly on In all probability The most up-tp-date information from the Japan Pc Emergency Repsonse Group Coordination Center:

“WordPress Plugin “Superior Custom-made Fields” provided by Scrumptious Brains incorporates a missing authorization vulnerability…

Users of this product (Editor, Author, Contributor) might view The information on the database with out the entry permission.”

America Nationwide Vulnerability Knowledgebase has assigned it a CVE reference quantity, CVE-2022-23183

ACF Changelog

A changelog is a log detailing All of the modifications in every mannequin of a Computer software.

It’s troublesome To inform which of the modifications detailed Inside the changelog are associated to repairing the vulnerability as a Outcome of the ACF changelog Does not explicitly say that one factor is a safety repair, it simply labels them as a “Fix.”

The changelog for the ACF WordPress plugin Does not explicitly notice that a safety problem was addressed.

An factor of the ACF changelog merely states:

“Fix – ACF now validates entry to selection Website area worths when entrying by way of area keys The identical method as area identifys. View Extra
Fix – Relaxation API now appropriately validates areas for Submit replace requests”

The “View Extra” hyperlink Leads to an explainer on the ACF internet website That says:

“…Calls to get_area() or the_area() on non-ACF WordPress decisions Can additionally return null. However, using these features to retrieve any post, consumer or time period meta will return The worth, Regardless of if the meta is an ACF area.

…In ACF 5.12.1, these …….

Source: https://www.searchenginejournal.com/acf-wordpress-plugin-vulnerability/444530/