CVE-2022-2594 Information

Description

The Advanced Custom Fields WordPress plugin before 5.12.3 Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Reference

https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2