Vulnerability Description
The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Advancedcustomfields | Advanced Custom Fields | >= 5.0.0, < 5.12.5 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849edeExploitThird Party Advisory
- https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33ExploitThird Party Advisory
- https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849edeExploitThird Party Advisory
- https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33ExploitThird Party Advisory
FAQ
What is CVE-2023-1196?
CVE-2023-1196 is a vulnerability with a CVSS score of 8.8 (HIGH). The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above ...
How severe is CVE-2023-1196?
CVE-2023-1196 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-1196?
Check the references section above for vendor advisories and patch information. Affected products include: Advancedcustomfields Advanced Custom Fields.