CVE-2023-1196 – This vulnerability in Advanced Custom Fields Wo... (How to Fix)

Q: What is the severity of CVE-2023-1196?

CVE-2023-1196 has a CVSS score of 8.8 (HIGH). This vulnerability in Advanced Custom Fields WordPress plugins allows authenticated users with Contributor role or higher to perform PHP Object Injection by exploiting insecure deserialization of user-controlled data. Attackers could execute arbitrary code on the server if a suitable gadget chain is present, potentially leading to full system compromise.

📋 TL;DR

This vulnerability in Advanced Custom Fields WordPress plugins allows authenticated users with Contributor role or higher to perform PHP Object Injection by exploiting insecure deserialization of user-controlled data. Attackers could execute arbitrary code on the server if a suitable gadget chain is present, potentially leading to full system compromise.

💻 Affected Systems

Products:

Advanced Custom Fields Free WordPress plugin
Advanced Custom Fields Pro WordPress plugin

Versions: ACF Free 6.x before 6.1.0, ACF Free 5.x before 5.12.5, ACF Pro 6.x before 6.1.0, ACF Pro 5.x before 5.12.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Contributor role. Exploitation depends on availability of suitable PHP gadget chains in the environment.

📦 What is this software?

Advanced Custom Fields by Advancedcustomfields

View all CVEs affecting Advanced Custom Fields →

Advanced Custom Fields by Advancedcustomfields

View all CVEs affecting Advanced Custom Fields →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server takeover, data exfiltration, malware deployment, or website defacement.

🟠

Likely Case

Privilege escalation, data manipulation, or limited code execution within WordPress context.

🟢

If Mitigated

Limited impact if proper role-based access controls and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and depends on available gadget chains. Multiple public references and technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ACF Free 6.1.0 or 5.12.5, ACF Pro 6.1.0 or 5.12.5

Vendor Advisory: https://www.advancedcustomfields.com/blog/acf-security-release/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Advanced Custom Fields plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress.org or ACF website and manually update.

🔧 Temporary Workarounds

Restrict User Roles

all

Temporarily restrict or remove Contributor role access until patching is complete.

Input Validation Filter

all

Implement custom filter to sanitize and validate ACF field inputs before processing.

🧯 If You Can't Patch

Implement strict role-based access control and limit Contributor privileges
Deploy web application firewall with rules to detect and block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Advanced Custom Fields version. If version is 6.x < 6.1.0 or 5.x < 5.12.5, system is vulnerable.

Check Version:

wp plugin list --name=advanced-custom-fields --field=version

Verify Fix Applied:

Confirm plugin version is 6.1.0+ or 5.12.5+ in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to ACF endpoints
PHP deserialization errors in logs
Unexpected file writes or process execution

Network Indicators:

Suspicious serialized data in HTTP requests
Patterns matching known gadget chain payloads

SIEM Query:

source="web_logs" AND (uri="*acf*" OR uri="*wp-admin*" OR uri="*wp-json*") AND (data="*O:*" OR data="*C:*" OR data="*s:*")

📊 Metadata

CVE ID: CVE-2023-1196

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 2, 2023

Last Updated: January 30, 2025

🔗 References

https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede Exploit,Third Party Advisory
https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede Exploit,Third Party Advisory
https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1196, you might also want to check these: