Vulnerability Description
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Advancedcustomfields | Advanced Custom Fields | >= 5.0.0, < 5.12.3 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2ExploitThird Party Advisory
- https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticThird Party Advisory
- https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2ExploitThird Party Advisory
- https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticThird Party Advisory
FAQ
What is CVE-2022-2594?
CVE-2022-2594 is a vulnerability with a CVSS score of 8.8 (HIGH). The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration ...
How severe is CVE-2022-2594?
CVE-2022-2594 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2594?
Check the references section above for vendor advisories and patch information. Affected products include: Advancedcustomfields Advanced Custom Fields.