ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites

The Missing Authorization vulnerability … allows a remote authenticated attacker to view information on a database without access permission. This type of vulnerability allows an attacker to gain access to the site at levels that are normally restricted to users with administrative privileges.

Advanced Custom Fields (ACF) WordPress Plugin

The ACF WordPress plugin is a popular development tool that allows developers to add custom fields to the edit screen as well as customize sections for users, posts, media, and other fields.

The ACF tool allows developers to extend WordPress themes in many ways, which explains why there are millions of active installations.

Missing Authorization Vulnerability

A missing authorization vulnerability occurs when software such as a WordPress plugin does not check a user’s authorization when accessing specific information.

This type of vulnerability can expose sensitive information and remote code execution attacks.

remote authenticated attacker

This particular vulnerability exploits a missing authorization check for users who have some level of authentication.

This means that users with at least the editor, author, or contributor level of authentication can use administrator level privileges to view database information.

According to the most current information from Japan Computer Emergency Response Team Coordination Center:

There is a missing authorization vulnerability in the WordPress plugin “Advanced Custom Fields” provided by Delicious Minds…

Users (editors, authors, contributors) of this product may view information on the database without the Access permission.”

The United States National Vulnerability Database has given it a CVE reference number, CVE-2022-23183

acf changelog

A changelog is a log that details all changes in each version of the software.

It is difficult to tell which changes detailed in the changelog are related to fixing the vulnerability because the ACF changelog does not explicitly say that there are some security improvements, it just states them “fix,

The changelog for the ACF WordPress plugin does not explicitly note that a security issue was addressed.

Part of the ACF changelog simply states:

“Fix – ACF now validates access to options page field values ​​when accessed via field keys as field names. See more
Fix – REST API now correctly validates fields for post update requests”

The “see more” link leads to a lecturer on the ACF website who says:

“… a call to get_field() or the_field() on non-ACF WordPress options will also return null. However, using those functions to retrieve any post, user or word meta will return a value, even if the meta is an acf field.

… In ACF 5.12.1, these restrictions still apply correctly when a field key is used to access an option value, such as using a field name.
“Using ACF Functions to Retrieve Data from an External ACF.”

Enhanced Custom Fields vulnerability has been patched

The ACF vulnerability affects all versions prior to Advanced Custom Fields 5.12.1 and Advanced Custom Fields Pro 5.12.1.

The Japan Computer Emergency Response Team Coordination Center advises all users of the plugin to update to ACF version 5.12.1 immediately.

Source link

Leave a Comment