Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization
Description
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.8.1What Changed in the Fix
Changes introduced in v6.8.2
Source Code
WordPress.org SVN# Research Plan - Advanced Custom Fields (ACF) <= 6.8.1 - Missing Authorization ## Vulnerability Summary The Advanced Custom Fields (ACF) plugin for WordPress (versions up to 6.8.1) is vulnerable to unauthorized access due to missing capability checks on specific AJAX handlers. While ACF is designe…
Show full research plan
Research Plan - Advanced Custom Fields (ACF) <= 6.8.1 - Missing Authorization
Vulnerability Summary
The Advanced Custom Fields (ACF) plugin for WordPress (versions up to 6.8.1) is vulnerable to unauthorized access due to missing capability checks on specific AJAX handlers. While ACF is designed to allow frontend form submissions via acf_form(), certain internal AJAX actions used for screen logic and field group querying were exposed to unauthenticated users without proper authorization. This allows an attacker to perform unauthorized actions or disclose sensitive configuration data about the site's field groups and post structures.
Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
acf/ajax/check_screen(and potentiallyacf/ajax/query_settingsoracf/ajax/validate_save_post) - Authentication: None required (
wp_ajax_nopriv_registration or missing check in the unified AJAX dispatcher). - Payload: JSON/URL-encoded parameters specifying a "screen" context to probe for field group configurations.
- Preconditions: The plugin must be active. For maximum impact, some field groups should be defined and assigned to posts or pages.
Code Flow
- Entry Point: A request is made to
admin-ajax.phpwith theactionparameter set toacf/ajax/check_screen. - Dispatcher: ACF uses a unified AJAX dispatcher (typically in `includes/ajax/class
Summary
The Advanced Custom Fields (ACF) plugin (<= 6.8.1) lacks proper authorization checks on certain AJAX handlers, including 'acf/ajax/check_screen'. This allows unauthenticated attackers to trigger these handlers to disclose sensitive field group configurations or metadata about the site's structure.
Security Fix
@@ -9,7 +9,7 @@ * Plugin Name: Advanced Custom Fields * Plugin URI: https://www.advancedcustomfields.com * Description: Customize WordPress with powerful, professional and intuitive fields. - * Version: 6.8.1 + * Version: 6.8.2 * Author: WP Engine * Author URI: https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields * Text Domain: acf @@ -44,7 +44,7 @@ * * @var string */ - public $version = '6.8.1'; + public $version = '6.8.2';
Exploit Outline
The exploit targets the AJAX dispatcher used by ACF. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable internal handler such as `acf/ajax/check_screen`. By crafting a payload that specifies a particular 'screen' context or `post_id`, the attacker can force the server to process logic related to field groups and return data about the site's configuration. Because the plugin fails to verify the user's capabilities or check for a valid nonce for these specific internal actions, the request is processed despite the absence of authentication.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.