CVE-2022-2594: 
WordPress vulnerability analysis and mitigation

The Advanced Custom Fields (ACF) WordPress plugin, including both free and Pro versions before 5.12.3, contains a vulnerability that allows unauthenticated users to upload files through frontend forms. This security issue was introduced in version 5.0 during a code rewrite and was discovered in July 2022. The vulnerability affects over 2 million WordPress installations (Pritect Blog).

The vulnerability (CVE-2022-2594) has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). While PHP file uploads are blocked by default WordPress configurations, the vulnerability still allows uploading of other potentially dangerous file types (NVD, WPScan).

Although PHP file uploads are restricted by default WordPress settings, the vulnerability enables attackers to upload other file types that could be leveraged in conjunction with additional exploits to execute code or be used in phishing attacks by hosting malicious content on trusted sites (WPScan).

The vulnerability has been patched in version 5.12.3 of both Advanced Custom Fields and Advanced Custom Fields Pro. Users are advised to update to this version or later to protect against potential attacks (WPScan).