CVE-2024-4565 – This vulnerability in Advanced Custom Fields Wo... (How to Fix)

📋 TL;DR

This vulnerability in Advanced Custom Fields WordPress plugins allows attackers to display custom field values for any post via shortcode without proper access controls. It affects WordPress sites using ACF Free before version 6.3 or ACF Pro before version 6.3. This enables unauthorized information disclosure of potentially sensitive post data.

💻 Affected Systems

Products:

Advanced Custom Fields WordPress plugin
Advanced Custom Fields Pro WordPress plugin

Versions: All versions before 6.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable ACF plugin versions installed and activated.

📦 What is this software?

Advanced Custom Fields by Advancedcustomfields

View all CVEs affecting Advanced Custom Fields →

Advanced Custom Fields by Advancedcustomfields

View all CVEs affecting Advanced Custom Fields →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive custom field data from private posts, including confidential information, user data, or configuration details that should remain hidden.

🟠

Likely Case

Unauthorized users can view custom field content from posts they shouldn't have access to, potentially exposing internal information or draft content.

🟢

If Mitigated

With proper access controls and authentication requirements, impact is limited to authorized users only viewing appropriate content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of post IDs and custom field names, but is straightforward once these are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3

Vendor Advisory: https://www.advancedcustomfields.com/blog/acf-6-3/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Advanced Custom Fields or Advanced Custom Fields Pro
4. Click 'Update Now' if available
5. Alternatively, download version 6.3+ from WordPress.org or ACF website
6. Upload and replace the plugin files
7. No restart required - changes take effect immediately

🔧 Temporary Workarounds

Disable vulnerable shortcode

all

Remove or restrict the affected shortcode functionality

Add to theme's functions.php: remove_shortcode('acf');

Access control plugin

all

Implement additional access controls using security plugins

🧯 If You Can't Patch

Implement strict access controls and authentication requirements for all posts with custom fields
Monitor and audit all shortcode usage and custom field access patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for ACF version. If version is below 6.3, you are vulnerable.

Check Version:

wp plugin list --name='advanced-custom-fields' --field=version

Verify Fix Applied:

After updating, verify ACF plugin version shows 6.3 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual shortcode usage patterns
Multiple failed access attempts to restricted posts
Access to posts by unauthorized users

Network Indicators:

HTTP requests to posts with acf shortcode parameters from unexpected sources

SIEM Query:

source="wordpress" AND (event="shortcode_execution" AND shortcode="acf") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-4565

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Published: June 20, 2024

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/430224c4-d6e3-4ca8-b1bc-b2229a9bcf12/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON