The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
CPE | Name | Operator | Version |
---|---|---|---|
advanced_custom_fields | ge | 5.0.0 | |
advanced_custom_fields | lt | 5.12.3 | |
advanced_custom_fields | ge | 5.0.0 | |
advanced_custom_fields | lt | 5.12.3 |