Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Advanced Custom Fields (ACF) by Unknown

    CVE-2024-4565 (GCVE-0-2024-4565)

    Vulnerability from nvd – Published: 2024-06-20 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
    Summary
    The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/430224c4-d6e3-4c… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Advanced Custom Fields (ACF) Affected: 0 , < 6.3 (semver)
    Create a notification for this product.
    Unknown Advanced Custom Fields Pro Affected: 0 , < 6.3 (semver)
    Create a notification for this product.
    wpengine advanced_custom_field_pro Affected: 0 , < 6.3 (custom)
        cpe:2.3:a:wpengine:advanced_custom_field_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    wpengine advanced_custom_fields Affected: 0 , < 6.3 (custom)
        cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Scott Kingsley Clark WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpengine:advanced_custom_field_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_custom_field_pro",
                "vendor": "wpengine",
                "versions": [
                  {
                    "lessThan": "6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_custom_fields",
                "vendor": "wpengine",
                "versions": [
                  {
                    "lessThan": "6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4565",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-20T13:40:36.821631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-20T13:42:56.802Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:47:40.536Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF)",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields Pro",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Scott Kingsley Clark"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:41.514Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Advanced Custom Fields \u003c 6.3 - Contributor+ Custom Field Access",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-4565",
        "datePublished": "2024-06-20T06:00:02.546Z",
        "dateReserved": "2024-05-06T19:04:45.951Z",
        "dateUpdated": "2025-08-27T12:00:41.514Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-1196 (GCVE-0-2023-1196)

    Vulnerability from nvd – Published: 2023-05-02 08:39 – Updated: 2025-01-30 14:21
    VLAI
    Title
    Advanced Custom Fields - Contributor+ PHP Object Injection
    Summary
    The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/cf376ca2-92f6-44… exploitvdb-entrytechnical-description
    https://wpscan.com/vulnerability/8e5ec88e-0e66-44… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Advanced Custom Fields (ACF) Affected: 5.0.0 , < 5.12.5 (custom)
    Affected: 6.0.0 , < 6.1.0 (custom)
    Create a notification for this product.
    Unknown Advanced Custom Fields (ACF) Pro Affected: 5.0.0 , < 5.12.5 (custom)
    Affected: 6.0.0 , < 6.1.0 (custom)
    Create a notification for this product.
    Credits
    Nguyen Huu Do WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:40:59.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33"
              },
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-1196",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-30T14:20:45.706582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-30T14:21:42.963Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF)",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.12.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF) Pro",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.12.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Huu Do"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-02T08:39:29.005Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33"
            },
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Advanced Custom Fields - Contributor+ PHP Object Injection",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-1196",
        "datePublished": "2023-05-02T08:39:29.005Z",
        "dateReserved": "2023-03-06T13:01:50.110Z",
        "dateUpdated": "2025-01-30T14:21:42.963Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-4565 (GCVE-0-2024-4565)

    Vulnerability from cvelistv5 – Published: 2024-06-20 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
    Summary
    The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/430224c4-d6e3-4c… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Advanced Custom Fields (ACF) Affected: 0 , < 6.3 (semver)
    Create a notification for this product.
    Unknown Advanced Custom Fields Pro Affected: 0 , < 6.3 (semver)
    Create a notification for this product.
    wpengine advanced_custom_field_pro Affected: 0 , < 6.3 (custom)
        cpe:2.3:a:wpengine:advanced_custom_field_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    wpengine advanced_custom_fields Affected: 0 , < 6.3 (custom)
        cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Scott Kingsley Clark WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpengine:advanced_custom_field_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_custom_field_pro",
                "vendor": "wpengine",
                "versions": [
                  {
                    "lessThan": "6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:wpengine:advanced_custom_fields:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_custom_fields",
                "vendor": "wpengine",
                "versions": [
                  {
                    "lessThan": "6.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4565",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-20T13:40:36.821631Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-20T13:42:56.802Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:47:40.536Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF)",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields Pro",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Scott Kingsley Clark"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:41.514Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Advanced Custom Fields \u003c 6.3 - Contributor+ Custom Field Access",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-4565",
        "datePublished": "2024-06-20T06:00:02.546Z",
        "dateReserved": "2024-05-06T19:04:45.951Z",
        "dateUpdated": "2025-08-27T12:00:41.514Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-1196 (GCVE-0-2023-1196)

    Vulnerability from cvelistv5 – Published: 2023-05-02 08:39 – Updated: 2025-01-30 14:21
    VLAI
    Title
    Advanced Custom Fields - Contributor+ PHP Object Injection
    Summary
    The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/cf376ca2-92f6-44… exploitvdb-entrytechnical-description
    https://wpscan.com/vulnerability/8e5ec88e-0e66-44… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Advanced Custom Fields (ACF) Affected: 5.0.0 , < 5.12.5 (custom)
    Affected: 6.0.0 , < 6.1.0 (custom)
    Create a notification for this product.
    Unknown Advanced Custom Fields (ACF) Pro Affected: 5.0.0 , < 5.12.5 (custom)
    Affected: 6.0.0 , < 6.1.0 (custom)
    Create a notification for this product.
    Credits
    Nguyen Huu Do WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:40:59.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33"
              },
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-1196",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-30T14:20:45.706582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-30T14:21:42.963Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF)",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.12.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF) Pro",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.12.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "6.1.0",
                  "status": "affected",
                  "version": "6.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Huu Do"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-02T08:39:29.005Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33"
            },
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Advanced Custom Fields - Contributor+ PHP Object Injection",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2023-1196",
        "datePublished": "2023-05-02T08:39:29.005Z",
        "dateReserved": "2023-03-06T13:01:50.110Z",
        "dateUpdated": "2025-01-30T14:21:42.963Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }