An Advanced Custom Fields exploit was found recently. According to Cyber Express, a critical security flaw has been discovered in a widely used Advanced Custom Fields add-on plugin for WordPress. It affects the ACF: Extended plugin. An advisory issued about the flaw assigns a severity rating of 9.8, which means there can be a serious impact if you exploit it.
What’s the problem with the Advanced Custom Fields exploit?
The main problem is the privilege escalation vulnerability because of missing role restrictions during user registration. The plugin’s insert_user function does not enforce limits. That’s why WordPress roles can be assigned when a new account is created. Usually, WP strictly controls role assignment during the registration process to prevent unauthorized privilege elevation. But because of Advanced Custom Fields exploit, that safeguard is bypassed.
Exploitation occurs when the site utilizes a front-end form provided by the plugin that directly maps a custom field to the WP user role. An attacker could examine the form’s HTML, intercept the HTTP request, and change the submitted value from subscriber to administrator. The plugin would then relay this value straight to WordPress’s user creation functions without any validation, thereby granting full administrator access.
