Missing authorization vulnerability …allows a remote authenticated attacker to view the information on the database without the access permission. This kind of vulnerability allows an attacker to attain access to the site at levels that are ordinarily restricted to users with admin privileges.
Advanced Custom Fields (ACF) WordPress Plugin
The ACF WordPress plugin is a popular development tool that allows developers to add custom fields to the Edit screen as well as to customize the sections for users, posts, media and other areas.
The ACF tool allows developers to extend WordPress themes in many ways, which explains why there are millions of active installations.
Missing Authorization Vulnerability
A missing authorization vulnerability happens when a software like a WordPress plugin does not check for authorization of a user when accessing specific information.
This type of vulnerability can lead to exposure of sensitive information and remote code execution attacks.
Remote Authenticated Attacker
This particular vulnerability exploits a missing authorization check for users who have some level of authentication.
That means that users with at least editor, author or contributor level of authentication can access admin level privilege in order to view database information.
According to the most current information from the Japan Computer Emergency Repsonse Team Coordination Center:
“WordPress Plugin “Advanced Custom Fields” provided by Delicious Brains contains a missing authorization vulnerability…
Users of this product (Editor, Author, Contributor) may view the information on the database without the access permission.”
The United States National Vulnerability Database has assigned it a CVE reference number, CVE-2022-23183
A changelog is a log detailing all the changes in each version of a software.
It’s difficult to tell which of the changes detailed in the changelog are related to fixing the vulnerability because the ACF changelog does not explicitly say that something is a security fix, it just labels them as a “Fix.”
The changelog for the ACF WordPress plugin does not explicitly note that a security issue was addressed.
Part of the ACF changelog simply states:
“Fix – ACF now validates access to option page field values when accessing via field keys the same way as field names. View More
Fix – REST API now correctly validates fields for POST update requests”
The “View More” link leads to an explainer on the ACF website that says:
“…Calls to get_field() or the_field() on non-ACF WordPress options will also return null. However, using those functions to retrieve any post, user or term meta will return the value, regardless of if the meta is an ACF field.
…In ACF 5.12.1, these restrictions now also correctly apply when using a field key to access an option value, the same as using the field name.”
“Using ACF Functions to Retrieve Data From Outside ACF.”
Advanced Custom Fields Vulnerability is Patched
The ACF vulnerability affects all versions prior to Advanced Custom Fields 5.12.1 and Advanced Custom Fields Pro 5.12.1.
The Japan Computer Emergency Response Team Coordination Center recommends all users of the plugin to update immediately to the ACF versions 5.12.1.