Advanced Custom Fields (ACF) just lately patched a lacking authorization vulnerability in model 5.12.1 that doubtlessly impacts greater than one million customers. The safety issue was found by Keitaro Yamazaki of Ierae Safety, Inc, who reported it to the Information-technology Promotion Agency (IPA).
In line with the CVE record information, the vulnerability impacts all free variations of ACF prior to five.12.1 and ACF Professional variations prior to five.12.1. It permits a distant authenticated attacker to view the data on the database with out the proper entry permission. The Nationwide Vulnerability Database offers this explicit vulnerability a 6.5 Medium rating.
ACF product supervisor Iain Poulson defined that there are particular circumstances essential to make an assault doable.
“Particularly, the attacker must already possess an account on the positioning at contributor-level or larger, in order that they’d seemingly be somebody identified to the positioning’s homeowners,” Poulson mentioned. “There are a selection of different circumstances that may all should be current for the assault to achieve success. I’d quite not go into element about precisely what these circumstances are, as offering that data simply will increase the probabilities that somebody will go searching for one of many few websites that matches these specs.”
ACF launched the patched model (5.12.1) on March 23, 2022, however the majority of the plugin’s two million customers (~70%) are nonetheless operating on older variations, leaving doubtlessly greater than one million customers weak.
ACF’s changelog notes the repair in model 5.12.1 however doesn’t explicitly establish it as being a safety repair. The plugin’s weblog and Twitter accounts didn’t announce the replace, so customers might not know that their websites are weak.
ACF representatives didn’t responded to our request for remark about why it was not specified as a safety repair within the changelog. For websites which will have computerized updates turned off, the Japan Pc Emergency Response Workforce Coordination Middle (JPCERT/CC) and the ACF group recommend customers replace to the newest model to guard their websites.