ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites

ACF WordPress Plugin Vulnerability Affects Up To +2 Million Sites

Advanced Custom Fields plugin patched a Missing Authorization vulnerability that allows an attacker to view database information

Missing authorization vulnerability …allows a remote authenticated attacker to view the information on the database without the access permission. This kind of vulnerability allows an attacker to attain access to the site at levels that are ordinarily restricted to users with admin privileges.

Advanced Custom Fields (ACF) WordPress Plugin
The ACF WordPress plugin is a popular development tool that allows developers to add custom fields to the Edit screen as well as to customize the sections for users, posts, media and other areas.

The ACF tool allows developers to extend WordPress themes in many ways, which explains why there are millions of active installations.

Missing Authorization Vulnerability
A missing authorization vulnerability happens when a software like a WordPress plugin does not check for authorization of a user when accessing specific information.

This type of vulnerability can lead to exposure of sensitive information and remote code execution attacks.

Remote Authenticated Attacker
This particular vulnerability exploits a missing authorization check for users who have some level of authentication.

That means that users with at least editor, author or contributor level of authentication can access admin level privilege in order to view database information.

According to the most current information from the Japan Computer Emergency Repsonse Team Coordination Center:


Laisser un commentaire