ACF Pro, Plugin Update Issue

Hi there,

I recently received a notification from Kinsta that ACF Pro 5.12.2 has a security vulnerability and needs to be updated to 5.12.3. But when I go to try to update the plugin that was included in the Pro theme package, there is no option to update.

How do I update the ACF Pro plugin that was included with my Pro theme?

3 Likes

Seconded. WPScan released this statement:

Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload

Description

The plugin allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a “trusted” site.

Proof of Concept

The PoC will be displayed on August 22, 2022, to give users the time to update.

Affects Plugins

advanced-custom-fields (Fixed in version 5.12.3)
advanced-custom-fields-pro (Fixed in version 5.12.3)

1 Like

+1 on this one.

Hey guys,

Thank you for reporting it. I’ll forward this case to our staff handling the bundled plugins.

Please just note that we cannot guarantee an update because bundled plugins are tested for compatiblity with our themes before releasing.

Hey There,

The new version is now available via automatic updates. All the best!

1 Like

Great, thanks for sorting that out!

Thanks, Rubin!

You are most welcome @itstimetx, @detailsguy

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.