Advanced Custom Fields < 5.12.5 – Contributor+ PHP Object Injection | CVE 2023-1196 | Plugin Vulnerabilities

Description

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

Setup (As admin)

- To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

- Activate the plugin, access the Custom Fields Menu and create a simple Field Group

Attack (as a contributor)
- Create a new post with dummy content, fill in the plugin's text field at the bottom of the screen with O:4:"Evil":0:{}, then save the draft
- Reload the page and click "x revisions", this will trigger the PHP Object Injection

Affects Plugins

advanced-custom-fields

Fixed in 5.12.5

advanced-custom-fields-pro

Fixed in 5.12.5

References

CVE

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Huu Do

Submitter

Nguyen Huu Do

Verified

Yes

WPVDB ID

cf376ca2-92f6-44ff-929a-ace809460a33

Timeline

Publicly Published

2023-04-10 (about 2 years ago)

Added

2023-04-10 (about 2 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2023-10-17

Title

E2Pdf < 1.20.19 - Authenticated (Administrator+) PHP Object Injection

Published

2025-08-08

Title

Gravity Forms Zoho CRM and Bigin <= 1.2.9 - Unauthenticated PHP Object Injection

Published

2025-11-12

Title

AI Engine < 3.1.9 - Subscriber+ PHP Object Injection via PHAR Deserialization

Published

2024-04-09

Title

Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce < 2.6.4 - Authenticated (Admin+) PHP Object Injection

Published

2023-03-27

Title

WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization