Missing authorization vulnerability allows a remote authenticated attacker to view information in the database without proper access permissions. This vulnerability enables an attacker to gain access to areas typically restricted to admin users.
Advanced Custom Fields (ACF) WordPress Plugin
The ACF WordPress plugin is a popular tool for developers to add custom fields to the Edit screen and customize sections for users, posts, media, and other areas.
The ACF tool extends WordPress themes in various ways, which contributes to its millions of active installations.
Missing Authorization Vulnerability
A missing authorization vulnerability occurs when software like a WordPress plugin does not verify user authorization when accessing specific information.
This vulnerability can expose sensitive information and lead to remote code execution attacks.
Remote Authenticated Attacker
This vulnerability is exploited through a missing authorization check for users with a certain level of authentication.
This means users with editor, author, or contributor-level access can obtain admin privileges to view database information.
According to the Japan Computer Emergency Response Team Coordination Center:
“WordPress Plugin ‘Advanced Custom Fields’ provided by Delicious Brains contains a missing authorization vulnerability…
Users of this product (Editor, Author, Contributor) may view the information in the database without access permission.”
The United States National Vulnerability Database has assigned it a CVE reference number, CVE-2022-23183.
ACF Changelog
A changelog details all the changes in each software version.
It’s challenging to determine which changes in the changelog address the vulnerability because the ACF changelog does not explicitly label security fixes but generally marks them as “Fix.”
The changelog for the ACF WordPress plugin does not explicitly state that a security issue was addressed.
Part of the ACF changelog simply states:
“Fix – ACF now validates access to option page field values when accessing via field keys the same way as field names. Fix – REST API now correctly validates fields for POST update requests”.
The accompanying explanation on the ACF website says:
“…Calls to get_field() or the_field() on non-ACF WordPress options will return null. Using these functions to retrieve any post, user, or term meta will return the value, irrespective of whether the meta is an ACF field.
…In ACF 5.12.1, these restrictions now also apply correctly when using a field key to access an option value, just as using the field name does.”
“Using ACF Functions to Retrieve Data From Outside ACF.”
Advanced Custom Fields Vulnerability is Patched
The ACF vulnerability affects all versions before Advanced Custom Fields 5.12.1 and Advanced Custom Fields Pro 5.12.1.
The Japan Computer Emergency Response Team Coordination Center advises all users of the plugin to update immediately to ACF version 5.12.1.
