Seconded. WPScan released this statement:
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
Description
The plugin allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading of .php files so this vulnerability is not easily wormable, but there are many other file types that can be uploaded that can be then used with another exploit to execute code or used in a phishing attack to get a user to download and execute a resource from a “trusted” site.
Proof of Concept
The PoC will be displayed on August 22, 2022, to give users the time to update.
Affects Plugins
advanced-custom-fields (Fixed in version 5.12.3)
advanced-custom-fields-pro (Fixed in version 5.12.3)