CVE-2022-2594

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields WordPress plugin versions prior to 5.12.3 Advanced Custom Fields Pro WordPress plugin versions prior to 5.12.3

Description The issue allows unauthenticated users to upload files, limited to those allowed in a default WordPress configuration, if a frontend form is available. This was introduced in the 5.0 rewrite and did not exist prior to that release.

Recommendations For Advanced Custom Fields WordPress plugin versions prior to 5.12.3, update to version 5.12.3 or later. For Advanced Custom Fields Pro WordPress plugin versions prior to 5.12.3, update to version 5.12.3 or later. As a temporary workaround, consider restricting access to frontend forms until the update is applied.