CVE-2023-1196 — Deserialization of Untrusted Data in Advanced Custom Fields

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 41.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Advancedcustomfields Advanced Custom Fields

Timeline

PublishedMay 2

Description

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDadvancedcustomfields/advanced_custom_fields5.0.0 — 5.12.5+1

🔴Vulnerability Details

GHSA

GHSA-mqwh-49j7-27h8: The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6↗2023-05-02

▶

CVEList

Advanced Custom Fields - Contributor+ PHP Object Injection↗2023-05-02

▶