Plattform
wordpress
Komponente
advanced-members
Behoben in
1.2.6
1.2.6
CVE-2026-3243 describes a Path Traversal vulnerability discovered in the Advanced Members for ACF plugin for WordPress. This vulnerability allows authenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The issue affects versions of the plugin up to and including 1.2.5, and a fix is available in version 1.2.6.
The primary impact of CVE-2026-3243 is the ability for an authenticated attacker to delete files on the WordPress server. Because the vulnerability requires only Subscriber-level access, the attack surface is relatively broad. A successful attack could involve deleting critical configuration files like wp-config.php, leading to complete site compromise and remote code execution. Deletion of other sensitive files could expose database credentials or other confidential information. The potential for RCE significantly elevates the risk, as it allows an attacker to gain full control of the affected WordPress instance.
CVE-2026-3243 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature makes it likely that PoCs will emerge. Given the ease of exploitation once a path is identified, active exploitation is possible, particularly against vulnerable WordPress instances that are not regularly updated. The vulnerability's reliance on authenticated access may limit its immediate impact, but it still poses a significant risk.
WordPress websites utilizing the Advanced Members for ACF plugin, particularly those running older versions (≤1.2.5) and those with Subscriber-level users or higher who have access to plugin functionality. Shared hosting environments where file permissions are not tightly controlled are also at increased risk.
• wordpress / plugin:
wp plugin listCheck if the Advanced Members for ACF plugin is installed and its version. If the version is ≤1.2.5, the system is vulnerable. • wordpress / plugin:
wp plugin update advanced-members-for-acfAttempt to update the plugin to the latest version (1.2.6 or later). • wordpress / file system: Inspect the WordPress file system for any unusual files or modifications, particularly in directories accessible to the WordPress user. • wordpress / plugin: Review the plugin's code for any instances of file path manipulation or validation that could be exploited.
disclosure
Exploit-Status
EPSS
0.22% (45% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3243 is to immediately upgrade the Advanced Members for ACF plugin to version 1.2.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker’s ability to delete files. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious file paths or patterns. Monitor WordPress logs for unusual file deletion activity. After upgrading, confirm the fix by attempting a file deletion request through the plugin's interface with a crafted path; the request should be rejected.
Aktualisieren Sie auf Version 1.2.6 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3243 is a Path Traversal vulnerability in the Advanced Members for ACF WordPress plugin, allowing authenticated attackers to delete files.
You are affected if you are using Advanced Members for ACF version 1.2.5 or earlier. Upgrade to 1.2.6 to mitigate the risk.
Upgrade the Advanced Members for ACF plugin to version 1.2.6 or later. Consider restricting file permissions as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.