WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin Advanced Custom Fields 'acf_abspath' Parameter Remote File Include (3.5.1)

Description

WordPress Plugin Advanced Custom Fields is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. WordPress Plugin Advanced Custom Fields version 3.5.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.5.2 or latest

References

http://www.securityfocus.com/bid/56528/exploit

http://ceriksen.com/2012/11/14/wordpress-advanced-custom-fields-remote-file-inclusion-vulnerability/

http://www.exploit-db.com/exploits/23856/

http://packetstormsecurity.com/files/119221/WordPress-Advanced-Custom-Fields-Remote-File-Inclusion.html

http://secunia.com/advisories/51037/

Related Vulnerabilities

WordPress Plugin TablePress XML External Entity Injection (1.8)

WordPress Plugin Newsletter Open Redirect (3.7.0)

WordPress Plugin April's Super Functions Pack Cross-Site Scripting (1.4.7)

WordPress Plugin yURL ReTwitt Cross-Site Request Forgery (1.4)

WordPress 5.0 Multiple Vulnerabilities (5.0 - 5.0)

Severity

High

Classification

CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update File Inclusion