CVE-2024-34762
📋 TL;DR
This vulnerability allows attackers with contributor-level access to WordPress sites to perform path traversal attacks, leading to local file inclusion of PHP files. It affects Advanced Custom Fields PRO plugin users, potentially enabling arbitrary code execution on vulnerable systems.
💻 Affected Systems
- Advanced Custom Fields PRO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through arbitrary PHP code execution, data theft, and complete site takeover.
Likely Case
Unauthorized file access, sensitive information disclosure, and potential privilege escalation.
If Mitigated
Limited impact if proper access controls and file permissions are enforced.
🎯 Exploit Status
Exploitation requires authenticated access at contributor level or higher.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.10
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Advanced Custom Fields PRO. 4. Click 'Update Now' to version 6.2.10 or higher.
🔧 Temporary Workarounds
Restrict Contributor Access
allTemporarily remove contributor-level access or limit to trusted users only.
File Permission Hardening
linuxSet strict file permissions on sensitive directories to prevent unauthorized access.
chmod 644 wp-content/plugins/advanced-custom-fields-pro/*.php
chmod 755 wp-content/plugins/advanced-custom-fields-pro/
🧯 If You Can't Patch
- Disable the Advanced Custom Fields PRO plugin immediately.
- Implement web application firewall rules to block path traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins > Advanced Custom Fields PRO.Check Version:
wp plugin list --name=advanced-custom-fields-pro --field=versionVerify Fix Applied:
Confirm version is 6.2.10 or higher in plugin details.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- Requests containing '../' sequences to plugin endpoints
Network Indicators:
- HTTP requests with path traversal payloads to /wp-content/plugins/advanced-custom-fields-pro/
SIEM Query:
source="web_server" AND (uri="*../*" OR uri="*/advanced-custom-fields-pro/*")🔗 References
- https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-local-file-inclusion-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-2-10-contributor-local-file-inclusion-vulnerability?_s_id=cve
