Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-2594
HistoryAug 22, 2022 - 3:15 p.m.

CVE-2022-2594

2022-08-2215:15:15
CWE-434
[email protected]
web.nvd.nist.gov
169
4
cve-2022-2594
advanced custom fields
wordpress plugin
unauthenticated file upload
vulnerability

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.2%

JSON

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Affected configurations

Vulners
NVD
Node
todoadvanced_custom_fieldsRange<5.0
OR
todoadvanced_custom_fieldsRange<5.12.3
OR
todoadvanced_custom_fields_proRange<5.0
OR
todoadvanced_custom_fields_proRange<5.12.3

CNA Affected

[
  {
    "product": "Advanced Custom Fields",
    "vendor": "TODO",
    "versions": [
      {
        "lessThan": "5.0*",
        "status": "affected",
        "version": "5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "5.12.3",
        "status": "affected",
        "version": "5.12.3",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Advanced Custom Fields Pro",
    "vendor": "TODO",
    "versions": [
      {
        "lessThan": "5.0*",
        "status": "affected",
        "version": "5.0",
        "versionType": "custom"
      },
      {
        "lessThan": "5.12.3",
        "status": "affected",
        "version": "5.12.3",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

Related

wpvulndb 1
wpexploit 1
openvas 2
patchstack 2
prion 1
cvelist 1
nvd 1
wpvulndb
wpvulndb
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
2022-08-01 00:00:00
wpexploit
wpexploit
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
2022-08-01 00:00:00
openvas
openvas
WordPress Advanced Custom Fields Pro Plugin 5.x < 5.12.3 File Upload Vulnerability
2022-08-25 00:00:00
WordPress Advanced Custom Fields Plugin 5.x < 5.12.3 File Upload Vulnerability
2022-08-25 00:00:00
patchstack
patchstack
WordPress Advanced Custom Fields PRO premium plugin <= 5.12.2 - Unauthenticated File Upload vulnerability
2022-08-01 00:00:00
WordPress Advanced Custom Fields plugin <= 5.12.2 - Unauthenticated File Upload vulnerability
2022-08-01 00:00:00
prion
prion
Design/Logic Flaw
2022-08-22 15:15:00
cvelist
cvelist
CVE-2022-2594 Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
2022-08-22 15:05:03
nvd
nvd
CVE-2022-2594
2022-08-22 15:15:15

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.2%

JSON
Related for CVE-2022-2594
wpvulndb1wpexploit1openvas2patchstack2prion1cvelist1nvd1