Wordpress ACF Encourages Insecure Theming
Recently, I’ve been doing a fair amount of WordPress work, which all but requires the use of the popular Advanced Custom Fields plugin. This plugin, which boasts 1+ million active installs, provides the ability to attach fields to content.
ACF provide two functions to render a field’s value: get_field() and the_field(). The former function returns the field’s value, and the latter function prints the field’s value. Neither function sanitizes user input before render, which results in a critical security vulnerability.
ACF Will Print Anything a User Inputs
A user with access to store input in an ACF field can render anything client side – iframe, javascript, etc. In Anchorman, Ron Burgundy will read anything on the teleprompter. In WordPress, ACF will print anything a user inputs.
ACF Encourages Insecure Theming
At the theme level, it’s certainly possible to sanitize user input; however, ACF doesn’t even mention this as an option in its documentation. Take a look at the documentation for get_field() and the_field(). Themers are plainly being instructed to print unsanitized user input.
Sanitize User Input
It’s straightforward to address this vulnerability. Instead of this:
<?php echo get_field('text'); ?>Do something like this:
<?php echo filter_var(get_field('text'), FILTER_SANITIZE_STRING); ?>
Add new comment