Description
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5.
Published: 2026-04-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion leading to possible remote code execution
Action: Immediate patch
AI Analysis

Impact

The Advanced Members for ACF plugin for WordPress suffers from insufficient file path validation in the create_crop function. This flaw allows an authenticated user with Subscriber status or higher to trigger a file deletion request that bypasses path checks, enabling removal of any file on the server, such as wp-config.php. Removing such critical files can permit an attacker to overwrite configuration, inject malicious code, or otherwise compromise the entire WordPress installation.

Affected Systems

The vulnerable plugin is distributed by danbilabs under the name Advanced Members for ACF. Versions up to and including 1.2.5 are affected. WordPress sites that have installed this plugin, particularly those that grant Subscriber or higher roles the ability to use the cropping feature, are at risk. The issue also persists in earlier releases, such as 1.2.4, as noted in the plugin repository.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. Because the flaw is exploitable by any authenticated user with the minimal Subscriber role, its potential impact is large. Although no publicly known exploit is available and the vulnerability is not listed in the CISA KEV catalog, attackers could delete critical files and potentially gain remote code execution or deny service. The patch in version 1.2.5 partially addresses the issue, but administrators should update to the latest release to eliminate the risk.

Generated by OpenCVE AI on April 8, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest approved release of the Advanced Members for ACF plugin, version greater than 1.2.5, which contains the complete path validation fix.
  • Verify the current plugin version on each WordPress installation to confirm that the update has been applied.
  • Restrict the ability to crop avatars or any other functionality that triggers the create_crop process to users with higher privileges if the feature is not needed for Subscribers.
  • Ensure that files such as wp-config.php and other sensitive configuration files have restrictive file permissions so that even if an unauthorized deletion is attempted they cannot be removed without sufficient permissions.
  • Monitor server logs for anomalous file deletion activity and review the user role capabilities after the update.

Generated by OpenCVE AI on April 8, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Danbilabs
Danbilabs advanced Members For Acf
Wordpress
Wordpress wordpress
Vendors & Products Danbilabs
Danbilabs advanced Members For Acf
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5.
Title Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Danbilabs Advanced Members For Acf
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:44.695Z

Reserved: 2026-02-26T02:55:32.603Z

Link: CVE-2026-3243

cve-icon Vulnrichment

Updated: 2026-04-08T14:16:47.994Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T12:16:21.610

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-3243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:49Z

Weaknesses