ACF WordPress Plugin Vulnerability Impacts Up To +2 Million Websites

Lacking authorization vulnerability …permits a distant authenticated attacker to view the data on the database with out the entry permission. This type of vulnerability permits an attacker to achieve entry to the location at ranges which are ordinarily restricted to customers with admin privileges.

Superior Customized Fields (ACF) WordPress Plugin

The ACF WordPress plugin is a well-liked improvement software that enables builders so as to add customized fields to the Edit display in addition to to customise the sections for customers, posts, media and different areas.

The ACF software permits builders to increase WordPress themes in some ways, which explains why there are tens of millions of energetic installations.

Lacking Authorization Vulnerability

A lacking authorization vulnerability occurs when a software program like a WordPress plugin doesn’t examine for authorization of a person when accessing particular info.

Any such vulnerability can result in publicity of delicate info and distant code execution assaults.

Distant Authenticated Attacker

This explicit vulnerability exploits a lacking authorization examine for customers who’ve some degree of authentication.

That signifies that customers with a minimum of editor, creator or contributor degree of authentication can entry admin degree privilege as a way to view database info.

In accordance with probably the most present info from the Japan Laptop Emergency Repsonse Staff Coordination Heart:

“WordPress Plugin “Superior Customized Fields” offered by Scrumptious Brains incorporates a lacking authorization vulnerability…

Customers of this product (Editor, Writer, Contributor) might view the data on the database with out the entry permission.”

America Nationwide Vulnerability Database has assigned it a CVE reference quantity, CVE-2022-23183

ACF Changelog

A changelog is a log detailing all of the modifications in every model of a software program.

It’s troublesome to inform which of the modifications detailed within the changelog are associated to fixing the vulnerability as a result of the ACF changelog doesn’t explicitly say that one thing is a safety repair, it simply labels them as a “Repair.”

The changelog for the ACF WordPress plugin doesn’t explicitly notice {that a} safety concern was addressed.

A part of the ACF changelog merely states:

“Repair – ACF now validates entry to possibility web page area values when accessing through area keys the identical approach as area names. View Extra
Repair – REST API now appropriately validates fields for POST replace requests”

The “View Extra” hyperlink results in an explainer on the ACF web site that claims:

“…Calls to get_field() or the_field() on non-ACF WordPress choices will even return null. Nonetheless, utilizing these capabilities to retrieve any submit, person or time period meta will return the worth, no matter if the meta is an ACF area.

…In ACF 5.12.1, these restrictions now additionally appropriately apply when utilizing a area key to entry an possibility worth, the identical as utilizing the sphere identify.”
“Utilizing ACF Features to Retrieve Knowledge From Exterior ACF.”

Superior Customized Fields Vulnerability is Patched

The ACF vulnerability impacts all variations previous to Superior Customized Fields 5.12.1 and Superior Customized Fields Professional 5.12.1.

The Japan Laptop Emergency Response Staff Coordination Heart recommends all customers of the plugin to replace instantly to the ACF variations 5.12.1.

Source link