<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Advanced Members for ACF Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/advanced-members-for-acf-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 17 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/advanced-members-for-acf-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>WordPress Advanced Members for ACF Plugin Arbitrary File Deletion Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-wordpress-acf-file-deletion/</link><pubDate>Wed, 17 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wordpress-acf-file-deletion/</guid><description>The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>The Advanced Members for ACF plugin, a WordPress extension, contains an arbitrary file deletion vulnerability (CVE-2026-3243). This flaw resides within the <code>create_crop</code> function and stems from insufficient validation of file paths. All versions of the plugin up to and including 1.2.5 are affected. Exploitation requires an attacker to be authenticated with at least Subscriber-level privileges, a low barrier to entry on many WordPress sites. Successful exploitation enables the deletion of arbitrary files on the server, which can severely impact website functionality and, critically, can lead to remote code execution if sensitive files like <code>wp-config.php</code> are targeted. While version 1.2.5 includes a partial patch, complete remediation requires upgrading to a later version.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains Subscriber-level access to the WordPress instance, either through registration or compromised credentials.</li>
<li>Attacker crafts a malicious HTTP request targeting the <code>create_crop</code> function within the Advanced Members for ACF plugin.</li>
<li>The crafted request includes a manipulated file path designed to target a sensitive file on the server.</li>
<li>Due to insufficient validation, the plugin processes the malicious file path without proper sanitization.</li>
<li>The <code>create_crop</code> function attempts to perform a file deletion operation using the attacker-supplied path.</li>
<li>The targeted file, such as <code>wp-config.php</code> or other critical system files, is successfully deleted from the server.</li>
<li>The WordPress site becomes unstable or non-functional due to the missing configuration files.</li>
<li>By deleting <code>wp-config.php</code> an attacker can trigger a WordPress reinstallation, potentially allowing them to gain administrative access and execute arbitrary code on the server, achieving Remote Code Execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to delete arbitrary files on the WordPress server. This can lead to website defacement, data loss, and potentially remote code execution. Deletion of <code>wp-config.php</code>, a critical file containing database credentials, allows for complete takeover of the WordPress site. Given the widespread use of WordPress and the Advanced Members for ACF plugin, a successful attack could impact a large number of websites across various sectors. The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Advanced Members for ACF plugin to the latest version to fully remediate CVE-2026-3243.</li>
<li>Monitor web server logs for suspicious POST requests to the <code>create_crop</code> function in the Advanced Members for ACF plugin, as highlighted in the Sigma rule below.</li>
<li>Implement file integrity monitoring (FIM) on critical WordPress files (e.g., <code>wp-config.php</code>, <code>.htaccess</code>) to detect unauthorized deletions.</li>
<li>Restrict Subscriber-level user permissions to minimize the attack surface, as this vulnerability requires authenticated access.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>file-deletion</category><category>remote-code-execution</category><category>cve-2026-3243</category></item></channel></rss>