Matterport 3D Tour Pros  |  Google Street View Pros  |  Real Estate Agents  |  3rd Party Service Providers
Should I buy a Camera? Quiz How Much to Start 3D Tour Business? Calculate How Much Can I Make as a Pro? Calculate Win More Listings? Calculate
Option #1
Find a 3D Tour Photographer Map
We Get Around Network Find a Pro Service
Matterport Service Provider? Join We Get Around Network
Option #2
Book a Matterport Pro in 60 Seconds
We Get Around Network Instant Booking Service
Powered byKoaWare
Matterport Service Provider (USA)? Join KoaWare Free! Register Now
Last 30 Days: 43,857 Page Views | 10,642 Visitors | 63 New Members
WGAN Knowledge Base | Total Posts: 53,189  |  Total Topics: 7,854
4,395 WGAN Members in 118 Countries
We Get Around Network Forum
WGAN Training Academy (Learn more)
WGAN-TV Channel
Best Practices Shooting Real Estate Video; and
PhotoAndVideoEdits.com Demo and Discussion
Nail Soup MediaWordPress

Security Alert: Plugin Vulnerability Notification - Advanced Custom Fields8343

Premium
Member
GlennTremain private msg quote post Address this user
Just got an alert from WP Engine Security: Plugin Vulnerability Notification - Advanced Custom Fields Plugin

This plugin could allow input from a malicious user with Author privileges to be interpreted as code by site visitors' web browsers. An attacker could use this vulnerability to steal information or modify site configuration.

Unfortunately, the author of this plugin has not yet released a fix to address these security issues. Until that time, we recommend that you assess the risk to your organization with consideration toward the requirement of author privileges for a user to execute this attack. The functionality of Advanced Custom Fields is integral to many themes and other WordPress add-ons, so removing it may break certain aspects of your site.

Please make sure to run a backup of your database before making any changes
Post 1 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Interestingly, there's no mention (yet 12/5/18 - PM) of this issue anywhere online at any of the various ACF Forums:

https://support.advancedcustomfields.com/forums/forum/general-issues/

https://wordpress.org/support/plugin/advanced-custom-fields

As you note, there are MILLIONS of sites running this plugin and one that we require as part of using WP3D Models. I'm certain that given the volume of users, this will be resolved quickly.
Post 2 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
They wouldn’t till they have the problem solved. This was from wpengine which you and many others have sites on. Being on the internet for 24 years I have come to know that the plugin with the issue doesn’t publish till they fix it or they are just compounding the problem by attracting unwanted attention to the issue. Surprised you would think that they would as it’s not practice for anyone, including yourself, to publish a known exploit without it being fixed first.
Post 3 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Hey Glenn...I only meant that I’m surprised to see no mention yet from other USERS of ACF after receiving similar security messages.
Post 4 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
So if I had a serious exploit into wp3dmodels and I posted it in forums and said “hey if you do this and that in the software you can seriously jack with a site “ why would you keep that in the forum and public for all to read. It’s just no the way the internet works. They publish after they fixed it. It’s internet common sense not to have it public till then. I trust wpengine and wordfence with their warnings.
Post 5 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Hey Glenn...I feel like maybe I inadvertently touched a nerve here....not my intention.

I was just making a personal observation that I was surprised to not be able to find any more info on this issue on those forums, especially on WordPress.org.

I too greatly trust the places you note and wasn’t implying that there is no issue. I’m sure people are scrambling to push out a fix as we speak.

Thx for your energies here to help keep users of WordPress (and WP3D Models) safe, secure and updated.
Post 6 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
I was going to say that about your comments. I don’t have a plugin that greatly relies on it. I’m just on the outside with many Wordpress servers and am trying to tell those with sites what’s up from an unbiased perspective. You have sites at wpengine so you should have got the same email I got.

My nerves are fine from dealing with stuff like this for 24 years. Just telling it like it is. No one EVER publishes or keeps posts up about a problem if they don’t have it fixed yet so to come here and say that because the plugin maker hasn’t said anything is misleading to how these things work.
Post 7 IP   flag post
WGAN
Founder
DanSmigrod private msg quote post Address this user
Here is the email I received from WPEngine
——

Subject: WP Engine Security: Plugin Vulnerability Notification - Advanced Custom Fields Plugin

Hello,

At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security issues. We are reaching out to you today because we identified your site(s), (wegetaround), are utilizing a vulnerable version of the Advanced Custom Fields plugin.

This plugin could allow input from a malicious user with Author privileges to be interpreted as code by site visitors' web browsers. An attacker could use this vulnerability to steal information or modify site configuration.

Unfortunately, the author of this plugin has not yet released a fix to address these security issues. Until that time, we recommend that you assess the risk to your organization with consideration toward the requirement of author privileges for a user to execute this attack. The functionality of Advanced Custom Fields is integral to many themes and other WordPress add-ons, so removing it may break certain aspects of your site.

Please make sure to run a backup of your database before making any changes; which you can learn how to do in this article: http://wpengine.com/support/restore/

Feel free to reach out to our Support team at any time if you have any questions!

Thanks

-WP Engine Security Team

--
Automated message from WP Engine.
Technical Questions? Visit the Support link in the User Portal: <https://my.wpengine.com> or visit the support garage: <https://wpengine.com/support>.
Anything else? Let our Support Team know by logging into your User Portal at <https://my.wpengine.com>.
https://wpengine.com/
@wpengine
Post 8 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
Another thing for those reading that are new to this. This happens a lot but usuall before wpengine or wordfense (wordfence you should subscribe to just for the security updates they are great) sends out a warning they reach out to the plugin maker to get them to fix it. The fact that they haven’t yet means the exploit is deeper than usual and they are scrambling. 99.9999% of the time they fix so don’t worry too much. Today there has been a big attempt from hacker bots https://www.wordfence.com/blog/2018/12/wordpress-botnet-attacking-wordpress/

This is like having kids. First one you worry more than you should and 24 years later you worry less, not let it get free rent in your head but take preventive measures.
Post 9 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Apologies if I came across as misleading, certainly not my intention. I did get the email you note (from WPEngine) and went looking for more information myself.

I was just surprised to not be able to find out any more info after that message (that Dan has since reposted here) and that’s all.

I’ll continue to be on the lookout for my more info and reply with anything I am able to find.

Thx guys!
Post 10 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
Again, you won’t “hear “ anything from them till they have a fix. Just like if it was your plugin. The only time someone in this position you hear from them is when it’s fixed. Maybe let everyone know when you see that? Thanks
Post 11 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Yep! Will do
Post 12 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Following up here to anyone that is curious. I got a message back from ACF as follows:

********

This issue has recently come to our attention and we are working with the WPEngine team to get it fixed.

The good news is that, the issue is very minor, and does not expose any real risk to your website.
The short version of the issue is: A logged in user (with "author" permissions) is able to enter unfiltered HTML into an ACF field which goes against the 'unfiltered_html' capability mentioned here: https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html

There is no need to panic. This issue does not pose any real world risk to your website.
That said, we will release a patch tomorrow to get this fixed

Thanks for your patience have a good one.

********
Post 13 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
Great to hear and that you have access to them to get a prompt response
Post 14 IP   flag post
WGAN
Founder
DanSmigrod private msg quote post Address this user
From WP Engine in an email alert....

Subject: WP Engine Security: Plugin Update Notification - Google Analytics by Monster Insights Plugin

Hello,

At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security issues. We are reaching out to you today because we identified your site(s), (wegetaround), are utilizing a vulnerable version of the Google Analytics by Monster Insights plugin.

This plugin could allow input from a malicious user to be interpreted as code by site visitor's web browsers. An attacker could use this vulnerability to steal information, or modify site configuration.

To secure your site, upgrade Google Analytics by Monster Insights to 7.3.2.

Please make sure to run a backup of your database before making any changes; which you can learn how to do in this article: http://wpengine.com/support/restore/

Feel free to reach out to our Support team at any time if you have any questions!

Thanks

-WP Engine Security Team

--
Automated message from WP Engine.
Technical Questions? Visit the Support link in the User Portal: <https://my.wpengine.com> or visit the support garage: <https://wpengine.com/support>.
Anything else? Let our Support Team know by logging into your User Portal at <https://my.wpengine.com>.
https://wpengine.com/
@wpengine
Post 15 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
Note that this is an entirely different plugin ( "Google Analytics by Monster Insights" ) from the one in the title of this thread ( "Advanced Custom Fields" ), but a good reminder nonetheless to always keep your site's software up-to-date! This is an easy fix, just update the plugin and you're done.
Post 16 IP   flag post
WP3D Models
ThreeSixty Tours
rpetersn private msg quote post Address this user
To put a bow on this...Advanced Custom Fields (ACF) released version 5.7.8 today, resolving the issue that was noted by WP Engine and the topic of this thread.

https://www.advancedcustomfields.com/blog/acf-5-7-8-release/
Post 17 IP   flag post
Premium
Member
GlennTremain private msg quote post Address this user
Great to hear. Now on to converting php 5.6 and 7.0 to 7.2 and not having people upgrading to Wordpress 5.0 prematurely
Post 18 IP   flag post
53818 18 18
Log in or sign up to compose a reply.
destitute