Lack of authorization vulnerability…allowing a remote authenticated attacker to view information on the database without access. This vulnerability allows an attacker to access the site at a level usually limited to users with administrator privileges.
Advanced Custom Fields (ACF) WordPress Plugin
The ACF WordPress plugin is a popular development tool that allows developers to add custom fields to edit screens and to customize sections for users, posts, media, and other areas.
ACF tools allow developers to extend WordPress themes in many ways, which explains why there are millions of active installs.
Missing Authorization Vulnerability
A lack of authorization vulnerability occurs when software like a WordPress plugin does not check the user’s authorization when accessing specific information.
Such vulnerabilities could lead to sensitive information disclosure and remote code execution attacks.
remote authentication attacker
This particular vulnerability exploits a missing authorization check for users with some level of authentication.
This means that users with at least editor, author, or contributor level authentication can access admin level permissions to view database information.
According to the latest news from Japan Computer Emergency Response Team Coordination Center:
“WordPress Plugin “Advanced Custom Fields” by Delicious Brains Contains Missing Authorization Vulnerability…
Users of this product (Editor, Author, Contributor) can view information in the database without access rights. “
The National Vulnerability Database has assigned it a CVE reference number, CVE-2022-23183
ACF Changelog
A change log is a log detailing all changes in each software release.
It’s hard to tell which of the changes detailed in the changelog are related to fixing the vulnerability, because the ACF changelog doesn’t explicitly say something is a security fix, it just marks them as “make fixed. “
The changelog for the ACF WordPress plugin does not explicitly state that the security issue has been resolved.
Part of the ACF changelog simply states:
“Fix – ACF now validates access to options page field values in the same way as field names when accessed by field key. See more
FIXED – REST API now correctly validates fields for POST update requests”
The “see more” link leads to an explainer on the ACF website that says:
“…calling get_field() or the_field() on a non-ACF WordPress option will also return null. However, using these functions to retrieve any post, user, or term meta will return that value, whether the meta is an ACF field or not.
…in ACF 5.12.1, these restrictions now also apply correctly when using field keys to access option values, the same as using field names. “
“Use ACF functions to retrieve data from an external ACF.”
Advanced Custom Fields Vulnerability Patched
The ACF vulnerability affects all versions prior to Advanced Custom Fields 5.12.1 and Advanced Custom Fields Pro 5.12.1.
The Japan Computer Emergency Response Team Coordination Center recommends that all users of this plugin update to ACF version 5.12.1 immediately.
