{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3243/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3243"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WordPress","Advanced Members for ACF plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","remote-code-execution","cve-2026-3243"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Advanced Members for ACF plugin, a WordPress extension, contains an arbitrary file deletion vulnerability (CVE-2026-3243). This flaw resides within the \u003ccode\u003ecreate_crop\u003c/code\u003e function and stems from insufficient validation of file paths. All versions of the plugin up to and including 1.2.5 are affected. Exploitation requires an attacker to be authenticated with at least Subscriber-level privileges, a low barrier to entry on many WordPress sites. Successful exploitation enables the deletion of arbitrary files on the server, which can severely impact website functionality and, critically, can lead to remote code execution if sensitive files like \u003ccode\u003ewp-config.php\u003c/code\u003e are targeted. While version 1.2.5 includes a partial patch, complete remediation requires upgrading to a later version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress instance, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the \u003ccode\u003ecreate_crop\u003c/code\u003e function within the Advanced Members for ACF plugin.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path designed to target a sensitive file on the server.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation, the plugin processes the malicious file path without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate_crop\u003c/code\u003e function attempts to perform a file deletion operation using the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eThe targeted file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e or other critical system files, is successfully deleted from the server.\u003c/li\u003e\n\u003cli\u003eThe WordPress site becomes unstable or non-functional due to the missing configuration files.\u003c/li\u003e\n\u003cli\u003eBy deleting \u003ccode\u003ewp-config.php\u003c/code\u003e an attacker can trigger a WordPress reinstallation, potentially allowing them to gain administrative access and execute arbitrary code on the server, achieving Remote Code Execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the WordPress server. This can lead to website defacement, data loss, and potentially remote code execution. Deletion of \u003ccode\u003ewp-config.php\u003c/code\u003e, a critical file containing database credentials, allows for complete takeover of the WordPress site. Given the widespread use of WordPress and the Advanced Members for ACF plugin, a successful attack could impact a large number of websites across various sectors. The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Advanced Members for ACF plugin to the latest version to fully remediate CVE-2026-3243.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003ecreate_crop\u003c/code\u003e function in the Advanced Members for ACF plugin, as highlighted in the Sigma rule below.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical WordPress files (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e, \u003ccode\u003e.htaccess\u003c/code\u003e) to detect unauthorized deletions.\u003c/li\u003e\n\u003cli\u003eRestrict Subscriber-level user permissions to minimize the attack surface, as this vulnerability requires authenticated access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-17T12:00:00Z","date_published":"2024-01-17T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-acf-file-deletion/","summary":"The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.","title":"WordPress Advanced Members for ACF Plugin Arbitrary File Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-acf-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-3243","version":"https://jsonfeed.org/version/1.1"}