Advanced Custom Fields Vulnerability

Those of you who make use of a WordPress plugin called Advanced Custom Fields (ACF) should make sure you have the most recent version, as a vulnerability has been found in the past week or so. If you haven’t got the most recent version, you should update as soon as possible. 

ACF is an extremely popular plugin with developers of WordPress sites. It’s a tool that allows developers to add additional custom fields to the WordPress edit screen and customise things for all kinds of areas within the WordPress dashboard.

ACF is used on millions of WordPress sites. You should definitely check the “Plugins” section in your WordPress admin area to see if you have it.

What is the Advanced Custom Fields vulnerability?

On older versions, there is a missing authorisation check on user accounts that are “editor”, “author”, or “contributor” level. Any one of these accounts can read database information, which should otherwise only be accessible to accounts with full admin privileges. 

The developers of Advanced Custom Fields have released an update addressing this issue. 

I have ACF. What should I do?

Well, first of all, you should check if you have any user accounts that are of the level editor, author or contributor. If you don’t have any accounts with those user levels, you’re probably completely safe. But you should still patch the plugin, just in case something else comes out the woodwork that may affect you.

If you do have those types of user accounts on your site, and you’ve never thought about your site’s security, you probably don’t have any additional protection against attacks. This means your site could well be at risk.

You should login to your site, go to the “Plugins” area, scroll down to ACF and update it. 

You should also consider additional security – have a look at Wordfence, we’ve written about it here.

Still struggling or just a bit uncertain?

Drop us a message and we’ll check your site’s security. As always our advice is free. If we log in to your site to give you feedback, then we’ll even update the plugin for you while we’re there!