Advanced Custom Fields <= 5.7.10 - Unserialize of user input



Description
Multiple maybe_unserialize calls result with unserialize of user input. Low priviledged users as contributors, but in many cases visitors too
Proof of Concept
https://medium.com/websec/wordpress-acf-5-7-10-unserialize-of-user-input-ac17cc473e0d

Affects Plugin

fixed in version 5.7.12

References

URL https://medium.com/websec/wordpress-acf-5-7-10-unserialize-of-user-input-ac17cc473e0d

Classification

Type OBJECTINJECTION
OWASP Top 10 A8: Insecure Deserialization
CWE CWE-502

Miscellaneous

Original Researcher Slavco
Submitter Slavco
Submitter Website https://medium.com/websec
Submitter Twitter mslavco
Views 4745
Verified No
WPVDB ID 9347

Timeline

Publicly Published 2019-02-15 (over 1 year ago)
Added 2019-06-17 (about 1 year ago)
Last Updated 2019-11-26 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin