CVE-2023-1196

Published: May 2, 2023Modified: Jan 30, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

Affected (2)

Products: Advancedcustomfields: Advanced Custom Fields

Advancedcustomfields

1 product

Advanced Custom Fields

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Advancedcustomfields Advanced Custom Fields	From 5.0.0 to 5.12.5
Advancedcustomfields Advanced Custom Fields	From 6.0.0 to 6.1.0

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.