Arbitrary File Upload

Advanced Custom Fields and Advanced Custom Fields Pro have 2+ million installs according to wordpress.org. Versions older than 5.12.3 allow unauthenticated users to upload arbitrary files if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Fortunately by default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a “trusted” site.

No exploit code is being released at this time.

Timeline

• 7/11/2022 Contacted developer
• 7/12/2022 Disclosed vulnerability
• 7/13/2022 Patch received from developer for testing
• 7/14/2022 Fix deployed to GitHub and pushed to wordpress.org plugin repository