CVE-2023-1196
Advanced Custom Fields - Contributor+ PHP Object Injection
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.8EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 May 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →