ACF WordPress plugin vulnerability affects up to +2 million sites

Missing Permission Vulnerability …allows an authenticated remote attacker to view database information without access permission. This type of vulnerability allows an attacker to access the site at levels usually reserved for users with administrator privileges.

Advanced Custom Fields (ACF) WordPress Plugin

The ACF WordPress plugin is a popular developer tool that allows developers to add custom fields to the edit screen as well as customize sections for users, posts, media, and other areas.

The ACF tool allows developers to extend WordPress themes in multiple ways, which is why there are millions of active installs.

Missing Authorization Vulnerability

A missing authorization vulnerability occurs when software such as a WordPress plugin does not check a user’s authorization when accessing specific information.

This type of vulnerability can lead to exposure of sensitive information and remote code execution attacks.

Remote Authenticated Attacker

This particular vulnerability exploits a missing authorization check for users who have a certain level of authentication.

This means that users with at least Editor, Author, or Contributor authentication level can access administrator-level privileges to view database information.

According to the latest information from the Japan Computer Emergency Response Team Coordination Center:

“Advanced Custom Fields WordPress plugin provided by Delicious Brains contains a missing permission vulnerability…

Users of this product (editor, author, contributor) can view database information without access permission. »

The US National Vulnerability Database has assigned it a CVE reference number, CVE-2022-23183

ACF change log

A change log is a log detailing all the changes made to each release of software.

It’s hard to tell which of the changes detailed in the changelog are related to fixing the vulnerability because the ACF changelog doesn’t explicitly say something is a security patch, it just labels them as a “To fix.”

The ACF WordPress plugin changelog does not explicitly note that a security issue has been fixed.

Part of the ACF changelog simply says:

“Fix – ACF now validates access to options page field values ​​when accessed via field keys in the same way as field names. See more
Fixed – REST API now correctly validates fields for POST update requests »

The “Show more” link leads to an explainer on the ACF website that says:

“…calls to get_field() or the_field() on non-ACF WordPress options will also return null. However, using these functions to retrieve any post, user, or term meta will return the value whether or not the meta is an ACF field.

… In ACF 5.12.1, these restrictions now apply correctly when using a field key to access an option value, similar to using the field name.
“Using ACF functions to retrieve data from outside ACF.”

Advanced custom fields vulnerability fixed

The ACF vulnerability affects all versions prior to Advanced Custom Fields 5.12.1 and Advanced Custom Fields Pro 5.12.1.

The Japan Computer Emergency Response Team Coordination Center recommends all users of the plugin to update to ACF 5.12.1 versions immediately.