PT-2026-31295 · WordPress · Advanced Members For Acf
Published
2026-04-08
·
Updated
2026-04-12
·
CVE-2026-3243
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Advanced Members for ACF plugin for WordPress versions up to and including 1.2.5
Description
The Advanced Members for ACF plugin for WordPress has a flaw that allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This is due to inadequate file path validation within the
create crop function. Deleting specific files, such as wp-config.php, could lead to remote code execution.Recommendations
Update to a version later than 1.2.5.
Fix
RCE
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Advanced Members For Acf