CVE-2023-1196

Summary

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

Affected Software

VendorProductVersion RangeStatus
UnknownAdvanced Custom Fields (ACF)5.0.0 < 5.12.5affected
UnknownAdvanced Custom Fields (ACF)6.0.0 < 6.1.0affected
UnknownAdvanced Custom Fields (ACF) Pro5.0.0 < 5.12.5affected
UnknownAdvanced Custom Fields (ACF) Pro6.0.0 < 6.1.0affected

Weaknesses

  • CWE-502 Deserialization of Untrusted Data

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References