via wptavern.com => original post link
Advanced Custom Fields (ACF) recently patched a missing authorization vulnerability in version 5.12.1 that potentially affects more than a million users. The security issue was discovered by Keitaro Yamazaki of Ierae Security, Inc, who reported it to the Information-technology Promotion Agency (IPA).
According to the CVE record information, the vulnerability affects all free versions of ACF prior to 5.12.1 and ACF Pro versions prior to 5.12.1. It allows a remote authenticated attacker to view the information on the database without the correct access permission. The National Vulnerability Database gives this particular vulnerability a 6.5 Medium score.
ACF product manager Iain Poulson explained that there are certain conditions necessary to make an attack possible.