Platform
wordpress
Component
advanced-custom-fields-pro
Fixed in
6.2.11
CVE-2024-34762 represents a critical Path Traversal vulnerability discovered during a security audit of Advanced Custom Fields PRO. This flaw allows attackers to potentially include arbitrary PHP files, leading to sensitive data exposure or even remote code execution. The vulnerability affects versions of Advanced Custom Fields PRO prior to 6.2.10, and a patch has been released.
The core impact of this vulnerability lies in its ability to facilitate PHP Local File Inclusion (LFI). An attacker can leverage the Path Traversal flaw to manipulate file paths, tricking the application into including files outside of the intended directory. This could allow them to read configuration files containing database credentials, API keys, or other sensitive information. In a worst-case scenario, an attacker might be able to include a malicious PHP script, leading to remote code execution and complete control over the WordPress site. The blast radius extends to any WordPress site utilizing Advanced Custom Fields PRO versions before 6.2.10, particularly those with sensitive data stored within the plugin’s configuration or custom fields.
This vulnerability was publicly disclosed on 2024-06-10. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-34762 is to immediately upgrade Advanced Custom Fields PRO to version 6.2.10 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions within the plugin's directory, or implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review the plugin's configuration and ensure that any user-supplied input used in file paths is properly sanitized. After upgrading, verify the fix by attempting to access files outside the intended directory through the plugin's interface; access should be denied.
Update the Advanced Custom Fields PRO plugin to version 6.2.10 or higher. This update fixes the Local File Inclusion vulnerability. You can update the plugin directly from the WordPress admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-34762 is a critical vulnerability in Advanced Custom Fields PRO allowing attackers to include arbitrary PHP files, potentially leading to sensitive data exposure or remote code execution.
Yes, if you are using Advanced Custom Fields PRO versions prior to 6.2.10, you are affected by this vulnerability.
Upgrade Advanced Custom Fields PRO to version 6.2.10 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or restricted file access.
While no confirmed active exploitation campaigns are known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Advanced Custom Fields PRO website and security advisories for the latest information and updates regarding CVE-2024-34762.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.