CVE-2022-2594
published 2022-08-22CVE-2022-2594: The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload…
PriorityP345high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.26%
66.0th percentile
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advancedcustomfields | advanced_custom_fields | >= 5.0.0 < 5.12.3 | 5.12.3 |
| todo | advanced_custom_fields | >= 5.0 < 5.0* | 5.0* |
| todo | advanced_custom_fields | >= 5.12.3 < 5.12.3 | 5.12.3 |
| todo | advanced_custom_fields_pro | >= 5.0 < 5.0* | 5.0* |
| todo | advanced_custom_fields_pro | >= 5.12.3 < 5.12.3 | 5.12.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-fileshttps://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files
2022-08-22
Published