The Advanced Custom Fields (ACF) WordPress plugin is a very popular addon that allows for the simple addition of custom fields to a WordPress website, it’s very powerful and pretty simple to use, driving it’s popularity sky high – at the time of writing WordPress.org had it listed as having over 2 million active installations!
The recent;y found vulnerability allows an attacker with *any* sort of login to the website (even just a ‘contributor’) to gain admin-level access to view the database which can in turn provide additional access to further an attack.
This has been assigned a CVE reference number, CVE-2022-23183 though no severity has been given yet. Given that this requires an attacker to have some sort of existing user account and it appears to provide read-only access to the database, this is likely not going to be classed as particularly severe.
Additionally, as the attacker has only read access to the database, they cannot use this to create an admin account or elevate their own, they would however be able to see hashed versions of account passwords (and so could potentially crack them), furthermore the attacker would be able to get their hands on any credentials used to access other systems (SMTP credentials, API tokens, etc.)
Either way, we recommend updating your WordPress site and plugins immediately!
