Advanced Custom Fields - Contributor+ PHP Object Injection
CVE-2023-1196

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Advanced Custom Fields (acf); Advanced Custom Fields (acf) Pro
Vendor: CVE Published:; 2 May 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins prior to versions 6.1.0 and 5.12.5 are susceptible to PHP Object Injection due to the unserialization of user-controllable data. This vulnerability can be exploited by users with Contributor roles or higher, enabling them to execute arbitrary PHP code through the manipulated payload when a specific gadget is available in the environment.

Affected Version(s)

Advanced Custom Fields (ACF) 5.0.0 < 5.12.5

Advanced Custom Fields (ACF) 6.0.0 < 6.1.0

Advanced Custom Fields (ACF) Pro 5.0.0 < 5.12.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-1196 - Proof of Concept

References

https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-...

exploitvdb-entrytechnical-description

https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 2, 2023
👾
Exploit known to exist
May 2, 2023
Vulnerability published
May 2, 2023
Vulnerability Reserved
Mar 6, 2023

Credit

Nguyen Huu Do

WPScan