CVE-2023-1196: Advanced Custom Fields (ACF) WordPress Plugins Vulnerable to PHP Object Injection

The Advanced Custom Fields (ACF) WordPress plugins, popular for managing custom fields in WordPress installations, have a critical vulnerability that could allow attackers to perform PHP Object Injection. WordPress websites using the ACF Free and Pro plugins 6.x before 6.1. and 5.x before 5.12.5 should immediately update to the latest versions to mitigate this security risk. This post provides a detailed analysis of the vulnerability and exploitation details with links to original references for a better understanding of the issue.

Vulnerability Details

The vulnerability, tracked as CVE-2023-1196, affects the ACF Free and Pro WordPress plugins. It exists because these plugins unserialize user controllable data, which enables users with the "Contributor" role and above to perform PHP Object Injection when a suitable gadget is present. Attackers can exploit this vulnerability to execute arbitrary code and potentially compromise the affected WordPress installation and underlying system.

The following code snippet demonstrates the vulnerable unserialize function present within the acf_validate_field() function in the includes/api-helpers.php file:

function acf_validate_field($field) {
     ... 
    // Unserialize settings.
    $field['settings'] = maybe_unserialize($field['settings']);
     ... 
}

Exploit Details

To successfully exploit the CVE-2023-1196 vulnerability, an attacker must first identify a suitable gadget(chain) present in the WordPress installation or one of its plugins. Upon finding such a gadget(chain), the attacker can use it to generate a serialized payload. Then, by manipulating the settings parameter of an Advanced Custom Fields (ACF) field, the attacker can inject the serialized payload into the unserialize function, leading to PHP Object Injection.

Consider the following example of a vulnerable gadget(chain)

class GadgetChain {
    public function __construct() {
       // Code that leads to arbitrary code execution 
    }
}

An attacker can use the above gadget(chain) to create a serialized payload similar to the one shown below:

O:12:"GadgetChain"::{}

After generating the payload, the attacker can inject the serialized payload into the settings parameter of an ACF field.

Mitigation

Users of Advanced Custom Fields (ACF) Free and Pro WordPress plugins are advised to update their versions immediately. The affected versions are 6.x before 6.1. and 5.x before 5.12.5.Users should update to the latest versions - 6.1. and 5.12.5, respectively.

For more information on the CVE-2023-1196 vulnerability, please refer to the following resources

1. ACF Changelog - detailing fixed versions
2. OWASP PHP Object Injection reference
3. NVD - National Vulnerability Database entry

Conclusion

The CVE-2023-1196 vulnerability in Advanced Custom Fields (ACF) Free and Pro WordPress plugins presents a significant security risk to WordPress installations. It is crucial for users of these plugins to keep them up-to-date and apply security best practices for their WordPress websites. By following the mitigation steps provided in this post and staying informed about emerging security threats, users can safeguard their online assets more effectively.

Timeline

Published on: 05/02/2023 09:15:00 UTC
Last modified on: 05/08/2023 18:06:00 UTC