The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 | Exploit Third Party Advisory |
https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2022-08-22T15:05:03
Updated: 2022-08-22T15:05:02
Reserved: 2022-08-01T00:00:00
Link: CVE-2022-2594
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-08-22T15:15:15.653
Modified: 2022-08-23T19:16:17.567
Link: CVE-2022-2594
JSON object: View
Redhat Information
No data.
CWE