A crucial security vulnerability has been identified in a popular add-on plugin for WordPress, which puts nearly 100,000 websites at risk of a total site compromise. The flaw resides within the Advanced Custom Fields: Extended plugin, specifically designed to enhance the functionality of the established Advanced Custom Fields (ACF) framework. Recent advisories highlight the severity of this flaw with a rating of 9.8, underlining the potential catastrophe if exploited.
Unauthenticated Privilege Escalation Poses Threat to WordPress Users
This vulnerability allows unauthenticated attackers to create new user accounts with administrator-level access, effectively granting them complete control over the affected WordPress sites. Unlike typical privilege escalation issues that require some level of existing user permissions, this flaw dramatically raises the stakes as no prior access is necessary. Any website running a vulnerable version of this plugin, paired with specific settings, may be at risk from attackers around the globe.
The Advanced Custom Fields: Extended plugin is widely favored among WordPress developers and site owners for its capability to improve the operation of custom fields. This ACF add-on provides an array of tools for managing front-end forms, creating options pages, defining custom post types and taxonomies, as well as altering the admin interface of WordPress.
Understanding the Plugin Flaw
The underlying issue stems from a privilege escalation vulnerability linked to insufficient role restrictions during user registration. In simpler terms, the plugin’s insert_user function fails to enforce limitations on the WordPress roles that can be assigned to new users. Normally, WordPress maintains strict controls during user registration to prevent unauthorized privilege elevation, but this crucial safeguard has been circumvented.
To exploit the vulnerability, an attacker must use a front-end form provided by the plugin that directly maps a custom field to the WordPress user role. If this setup exists, the plugin will accept the submitted role value without proper authentication. Essentially, the plugin depended on the HTML form to manage role selections, sidestepping necessary server-side validation.
For instance, a developer might set up a registration form that shows only the “subscriber” role. However, a malicious actor could inspect the form’s HTML, intercept the HTTP request, and change the submitted role from role=subscriber to role=administrator. The plugin would then hand this value over to WordPress’s user creation functions unverified, leading to full administrative access.
Mitigating Risks: Updates and Fixes
The plugin’s changelog confirms that the issues have been rectified. Key fixes include:
- “Enforced validation of front-end fields against their respective ‘Choices’ settings.”
- “Module: Forms – Introduced a security measure for forms that permit user role selection.”
These updates bring in more robust server-side defenses and improved validation for front-end forms, particularly related to user role selection.
If left unaddressed, the implications for affected websites are severe. Attackers could manipulate site data, install or change plugins and themes, introduce malicious code, create backdoor administrator accounts, redirect traffic, or even spread malware. In essence, this can mean a full-scale takeover of a WordPress site.
Steps for Site Owners: Immediate Actions Required
This vulnerability impacts all versions up to and including 0.9.2.1 and has been patched in version 0.9.2.2. This update includes numerous validation hooks and enhanced security checks tailored for front-end forms and user role management. Noteworthy updates in the changelog consist of:
- Module: Forms – Enforced validation for front-end fields according to their respective ‘Choices’ settings.
- Module: Forms – Added security measures for forms that allow user role selection.
- Module: Forms – Introduced the
acfe/form/validate_valuehook for individual field validation on the front-end. - Module: Forms – Implemented the
acfe/form/pre_validate_valuehook to bypass enforced validation when necessary.
If you are using this ACF add-on plugin, it’s imperative to upgrade to the latest version immediately. Should updating not be a feasible option, disabling the plugin until the patch can be applied is highly recommended. Given the serious nature of this flaw, the ease of exploitation, and indications of active attacks, any delays could leave WordPress sites vulnerable to complete compromise.
