{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3243", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-26T02:55:32.603Z", "datePublished": "2026-04-08T11:16:57.732Z", "dateUpdated": "2026-04-08T16:41:44.695Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:44.695Z"}, "affected": [{"vendor": "danbilabs", "product": "Advanced Members for ACF", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5."}], "title": "Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710"}, {"url": "https://plugins.trac.wordpress.org/changeset/3479725/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3492372/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-27T18:27:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:16:39.900576Z", "id": "CVE-2026-3243", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:16:52.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3243", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:16:39.900576Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:16:47.994Z"}}], "cna": {"title": "Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "danbilabs", "product": "Advanced Members for ACF", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-27T18:27:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710"}, {"url": "https://plugins.trac.wordpress.org/changeset/3479725/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3492372/"}], "descriptions": [{"lang": "en", "value": "The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T11:16:57.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3243", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:16:52.744Z", "dateReserved": "2026-02-26T02:55:32.603Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T11:16:57.732Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5."}], "id": "CVE-2026-3243", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T12:16:21.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3479725/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3492372/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Advanced Members for ACF", "source": "cna", "vendor": "danbilabs"}, "product": "advanced_members_for_acf", "vendor": "danbilabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T12:50:48.802478+00:00", "value": {"mitigation_remediation": ["Download and install the latest approved release of the Advanced Members for ACF plugin, version greater than 1.2.5, which contains the complete path validation fix.", "Verify the current plugin version on each WordPress installation to confirm that the update has been applied.", "Restrict the ability to crop avatars or any other functionality that triggers the create_crop process to users with higher privileges if the feature is not needed for Subscribers.", "Ensure that files such as wp-config.php and other sensitive configuration files have restrictive file permissions so that even if an unauthorized deletion is attempted they cannot be removed without sufficient permissions.", "Monitor server logs for anomalous file deletion activity and review the user role capabilities after the update."], "summary": {"action": "Immediate patch", "impact": "Arbitrary file deletion leading to possible remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerable plugin is distributed by danbilabs under the name Advanced Members for ACF. Versions up to and including 1.2.5 are affected. WordPress sites that have installed this plugin, particularly those that grant Subscriber or higher roles the ability to use the cropping feature, are at risk. The issue also persists in earlier releases, such as 1.2.4, as noted in the plugin repository.", "description_and_impact": "The Advanced Members for ACF plugin for WordPress suffers from insufficient file path validation in the create_crop function. This flaw allows an authenticated user with Subscriber status or higher to trigger a file deletion request that bypasses path checks, enabling removal of any file on the server, such as wp-config.php. Removing such critical files can permit an attacker to overwrite configuration, inject malicious code, or otherwise compromise the entire WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. Because the flaw is exploitable by any authenticated user with the minimal Subscriber role, its potential impact is large. Although no publicly known exploit is available and the vulnerability is not listed in the CISA KEV catalog, attackers could delete critical files and potentially gain remote code execution or deny service. The patch in version 1.2.5 partially addresses the issue, but administrators should update to the latest release to eliminate the risk."}}}}, "created": "2026-04-08T19:27:12.817735+00:00", "updated": "2026-04-08T19:39:49.808100+00:00", "vendors": ["danbilabs", "danbilabs$PRODUCT$advanced_members_for_acf", "wordpress", "wordpress$PRODUCT$wordpress"]}