WordPress Plugin WordPress Plugin ACF Extended: Privilege Escalation (0.9.2.1)
Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
Remediation
Immediately update the Advanced Custom Fields: Extended plugin to a patched version (if available) or remove it from your WordPress installation. Follow these steps:<br/><br/>1. Log into your WordPress admin dashboard<br/>2. Navigate to Plugins > Installed Plugins<br/>3. Deactivate and delete the Advanced Custom Fields: Extended plugin (versions 0.9.2.1 and below)<br/>4. Review all user accounts for unauthorized administrators created after the plugin was installed<br/>5. Delete any suspicious or unknown admin accounts<br/>6. Reset passwords for all legitimate administrator accounts <br/><br/>If the plugin functionality is required, ensure that the 'role' field is not mapped to any custom field in your forms, or wait for an official security patch from the developer before re-enabling.