CVE-2022-2594

Summary

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Affected Software

VendorProductVersion RangeStatus
TODOAdvanced Custom Fields5.0 < 5.0*affected
TODOAdvanced Custom Fields5.12.3 < 5.12.3affected
TODOAdvanced Custom Fields Pro5.0 < 5.0*affected
TODOAdvanced Custom Fields Pro5.12.3 < 5.12.3affected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CVE Program Container

Additional References

References