Advanced Custom Fields < 6.1.0 – Contributor+ PHP Object Injection | CVE 2023-1196 | Plugin Vulnerabilities

Description

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

Setup (As admin)

- To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

- Activate the plugin, access the Custom Fields Menu and create a simple Field Group

Attack (as a contributor)
- Create a new post with dummy content, fill in the plugin's text field at the bottom of the screen with O:4:"Evil":0:{}, then save the draft
- Reload the page and click "x revisions", this will trigger the PHP Object Injection

Affects Plugins

advanced-custom-fields

Fixed in 6.1.0

advanced-custom-fields-pro

Fixed in 6.1.0

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Huu Do

Submitter

Nguyen Huu Do

Verified

Yes

WPVDB ID

8e5ec88e-0e66-44e4-bbf2-74155d849ede

Timeline

Publicly Published

2023-04-10 (about 1 years ago)

Added

2023-04-10 (about 1 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2017-04-27

Title

Row Seats Core < 2.68 - Unauthenticated PHP Object Injection

Published

2023-12-27

Title

WebinarIgnition < 3.05.1 - Authenticated (Subscriber+) PHP Object Injection

Published

2023-09-05

Title

RSVPMaker < 10.6.7 - Unauthenticated PHP Object Injection

Published

2024-03-04

Title

Auto Refresh Single Page <= 1.1 - Authenticated (Contributor+) PHP Object Injection

Published

2016-03-02

Title

Easy Digital Downloads < 2.5.8 - PHP Object Injection