Platform
wordpress
Component
advanced-members
Fixed in
1.2.6
1.2.6
CVE-2026-3243 describes a Path Traversal vulnerability discovered in the Advanced Members for ACF plugin for WordPress. This vulnerability allows authenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The issue affects versions of the plugin up to and including 1.2.5, and a fix is available in version 1.2.6.
The core impact of CVE-2026-3243 lies in the ability for an authenticated attacker (Subscriber level or higher) to delete files on the WordPress server. While the vulnerability is classified as a Path Traversal, the potential for remote code execution is significant. Deleting the wp-config.php file, for example, would effectively disable the WordPress installation, and depending on the server configuration, could allow an attacker to upload and execute malicious code. This could lead to complete server compromise, data theft, and denial of service. The partial patch in 1.2.5 suggests that initial attempts to address the vulnerability were made, but a complete fix was necessary.
CVE-2026-3243 was publicly disclosed on 2026-04-07. Currently, there are no known active campaigns exploiting this vulnerability. Public proof-of-concept code is not widely available, but the relatively straightforward nature of Path Traversal vulnerabilities suggests that it could be developed. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.22% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3243 is to immediately upgrade the Advanced Members for ACF plugin to version 1.2.6 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting file permissions on the WordPress server to limit the impact of a successful attack. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts can provide an additional layer of defense. Regularly review WordPress file permissions and user roles to ensure the principle of least privilege is enforced.
Update to version 1.2.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3243 is a Path Traversal vulnerability in the Advanced Members for ACF WordPress plugin, allowing authenticated attackers to delete files.
You are affected if you are using Advanced Members for ACF version 1.2.5 or earlier. Upgrade to 1.2.6 to mitigate the risk.
Upgrade the Advanced Members for ACF plugin to version 1.2.6 or later. Consider restricting file permissions as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.