CVE-2024-37250
📋 TL;DR
This vulnerability allows attackers with subscriber-level access to perform unauthorized actions in Advanced Custom Fields PRO for WordPress. It affects all WordPress sites using Advanced Custom Fields PRO versions up to 6.3.1. The missing authorization check enables privilege escalation through broken access control.
💻 Affected Systems
- Advanced Custom Fields PRO
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with subscriber accounts could modify custom fields, potentially altering site content, configurations, or injecting malicious code that affects all users.
Likely Case
Subscribers gaining unauthorized access to edit custom fields they shouldn't have permission to modify, potentially disrupting site functionality or content.
If Mitigated
With proper role-based access controls and network segmentation, impact would be limited to minor content modifications within the subscriber's scope.
🎯 Exploit Status
Requires subscriber-level access. Exploitation is straightforward once an attacker has valid subscriber credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Advanced Custom Fields PRO. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.3.2+ from WPEngine and manually update.
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily restrict subscriber role capabilities until patch can be applied
wp role reset subscriber --yes
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WordPress admin interfaces
- Enable detailed logging and monitoring for custom field modifications by subscriber roles
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Advanced Custom Fields PRO → Version. If version is 6.3.1 or lower, system is vulnerable.Check Version:
wp plugin get advanced-custom-fields-pro --field=versionVerify Fix Applied:
Verify Advanced Custom Fields PRO version is 6.3.2 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unauthorized custom field modifications by subscriber roles
- Multiple failed authorization attempts followed by successful custom field edits
Network Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php from subscriber accounts
- Suspicious custom field update patterns
SIEM Query:
source="wordpress.log" AND ("custom_field" OR "acf") AND user_role="subscriber" AND action="edit"