WordPress Plugin Vulnerabilities

Advanced Custom Fields < 5.7.12 - Unserialize of user input

Description

Multiple maybe_unserialize calls result with unserialize of user input. Low priviledged users as contributors, but in many cases visitors too

Proof of Concept

Affects Plugins

Plugin icon
advanced-custom-fields
Fixed in 5.7.12

References

URL
https://medium.com/websec/wordpress-acf-5-7-10-unserialize-of-user-input-ac17cc473e0d

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher
Slavco
Submitter
Slavco
Submitter website
https://medium.com/websec
Submitter twitter
mslavco
Verified
No
WPVDB ID
14d0223a-4aca-4069-82f2-ba22e354daad

Timeline

Publicly Published
2019-02-15 (about 7 years ago)
Added
2019-06-17 (about 6 years ago)
Last Updated
2019-11-26 (about 6 years ago)

Other

Published
Title
Published
2025-05-21
Title
Pix 4x sem juros - Pagaleve < 1.6.10 - Unauthenticated PHP Object Injection
Published
2024-05-22
Title
Hash Form – Drag & Drop Form Builder < 1.1.1 - Unauthenticated PHP Object Injection
Published
2022-11-17
Title
Betheme < 26.6 - Subscriber+ PHP Object Injection
Published
2024-04-05
Title
WP Import Export Lite < 3.9.27 - Authenticated (Administrator+) PHP Object Injection
Published
2025-09-23
Title
Addison < 1.4.8 - Unauthenticated PHP Object Injection