cbcvebase.
CVE-2022-2594
published 2022-08-22

CVE-2022-2594: The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload…

PriorityP345high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.26%
66.0th percentile
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Affected

5 ranges
VendorProductVersion rangeFixed in
advancedcustomfieldsadvanced_custom_fields>= 5.0.0 < 5.12.35.12.3
todoadvanced_custom_fields>= 5.0 < 5.0*5.0*
todoadvanced_custom_fields>= 5.12.3 < 5.12.35.12.3
todoadvanced_custom_fields_pro>= 5.0 < 5.0*5.0*
todoadvanced_custom_fields_pro>= 5.12.3 < 5.12.35.12.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.