WordPress Advanced Custom Fields remote file inclusion vulnerability


Secunia Advisory SA 51037

Analysis of vulnerability
A Remote File Inclusion vulnerability exists in the Advanced Custom Fields plugin for WordPress. By exploiting an unsafe use of array_merge which takes user-input in /core/actions/export.php, it is possible to override a value used for an include:

By posting another value for acf_abspath to the script, we can overwrite the value which is used for the two require_once calls. For instance, we can make a request like this which will request /wp-load.php and /wp-admin/admin.php from myevilsite.com:


Leave a Reply