CVE-2023-1196: 
WordPress vulnerability analysis and mitigation

CVE-2023-1196 is a PHP Object Injection vulnerability affecting the Advanced Custom Fields (ACF) WordPress plugin. The vulnerability was discovered by Nguyen Huu Do and publicly disclosed on April 10, 2023. It affects versions of Advanced Custom Fields and Advanced Custom Fields Pro below 5.12.5 and 6.1.0 (WPScan ACF, WPScan ACF Pro).

The vulnerability stems from the plugin's improper handling of user-controllable data through unserialization, which could enable users with Contributor-level permissions or higher to perform PHP Object Injection when a suitable gadget is present. The vulnerability has been assigned a CVSS score of 6.6 (medium) and is classified under CWE-502, falling into the OWASP Top 10 category A8: Insecure Deserialization (WPScan ACF).

When exploited, this vulnerability allows authenticated users with Contributor-level access or higher to perform PHP Object Injection attacks. The impact could be significant if a suitable gadget chain is present in the target system, potentially leading to arbitrary code execution (WPScan ACF).

The vulnerability has been patched in Advanced Custom Fields version 5.12.5 and 6.1.0, as well as in the Pro versions of the plugin. Users are strongly advised to update to these or later versions to mitigate the risk (WPScan ACF, WPScan ACF Pro).