CVE-2024-34762 Overview
CVE-2024-34762 is a path traversal vulnerability [CWE-22] in WP Engine's Advanced Custom Fields PRO plugin for WordPress. The flaw affects all versions before 6.2.10 and enables PHP Local File Inclusion (LFI). An authenticated user with contributor-level access can supply manipulated path input to load arbitrary local PHP files. Successful exploitation can lead to information disclosure, code execution via includable files, and full site compromise.
Critical Impact
Authenticated attackers with low privileges can leverage path traversal to include local PHP files, escalate impact across confidentiality, integrity, and availability, and pivot to broader WordPress compromise.
Affected Products
- WP Engine Advanced Custom Fields PRO versions prior to 6.2.10
- WordPress installations using ACF PRO with contributor-or-higher accounts
- Multisite WordPress deployments embedding the vulnerable plugin
Discovery Timeline
- 2024-06-10 - CVE-2024-34762 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-34762
Vulnerability Analysis
The vulnerability stems from improper limitation of a pathname to a restricted directory within Advanced Custom Fields PRO. The plugin accepts user-controlled input that is later passed into a PHP file inclusion routine without sufficient normalization or allow-listing. An attacker authenticated as a contributor can traverse directories using sequences such as ../ to reference files outside the intended template path. Because PHP's inclusion functions execute the included file as code, any local .php file readable by the web server becomes an execution primitive. The scope-changed CVSS vector indicates that exploitation impacts resources beyond the vulnerable component, consistent with full WordPress site takeover.
Root Cause
The root cause is missing canonicalization and validation of file path parameters before they reach a PHP include or require call. The plugin trusts contributor-supplied field configuration data that should be treated as untrusted. Without strict checks against a fixed base directory, traversal sequences are resolved by the filesystem rather than rejected by the application.
Attack Vector
Exploitation requires network access to the WordPress admin interface and a valid contributor account, which is a common low-privilege role on multi-author sites. The attacker submits crafted field metadata or template references that resolve to attacker-chosen paths on disk. When the plugin renders or processes these fields, PHP includes the targeted file. By chaining with file upload endpoints, log poisoning, or session file injection, attackers can convert local inclusion into remote code execution.
No verified public proof-of-concept code is referenced in the advisory. See the Patchstack Vulnerability Database Entry for technical details.
Detection Methods for CVE-2024-34762
Indicators of Compromise
- Web access log entries containing ../, ..%2f, or encoded traversal sequences targeting ACF endpoints under /wp-admin/ and /wp-content/plugins/advanced-custom-fields-pro/
- Unexpected PHP include/require errors in WordPress debug logs referencing files outside the plugin directory
- Contributor accounts performing administrative-like file or template operations
- Unexplained access to sensitive files such as wp-config.php reflected in error responses
Detection Strategies
- Inspect WordPress audit logs for contributor users modifying ACF field group configurations or template paths
- Deploy web application firewall rules that flag traversal patterns and PHP wrapper schemes such as php:// or file:// in plugin parameters
- Correlate authenticated session activity with subsequent PHP file inclusion errors to identify exploitation attempts
Monitoring Recommendations
- Enable WordPress WP_DEBUG_LOG and forward PHP error logs to a centralized log platform for retention and alerting
- Monitor filesystem access by the web server user for reads of wp-config.php, .htaccess, and files outside the document root
- Track plugin version inventory across all WordPress instances to identify hosts still running ACF PRO below 6.2.10
How to Mitigate CVE-2024-34762
Immediate Actions Required
- Upgrade Advanced Custom Fields PRO to version 6.2.10 or later on every WordPress instance
- Audit contributor and author accounts, removing inactive or untrusted users and rotating credentials
- Review WordPress and web server logs for traversal patterns observed since plugin installation
- Restrict access to /wp-admin/ by IP address where operationally feasible
Patch Information
WP Engine addressed the vulnerability in Advanced Custom Fields PRO 6.2.10. The fixed release adds path validation to prevent traversal in field and template handling. Refer to the Patchstack Vulnerability Database Entry for the upstream advisory.
Workarounds
- Temporarily disable Advanced Custom Fields PRO on sites that cannot be patched immediately
- Deploy a web application firewall rule blocking path traversal sequences against ACF endpoints
- Enforce least-privilege user roles, denying contributor access until upgrade is complete
- Set the PHP open_basedir directive to restrict file inclusion to the WordPress installation directory
# Configuration example: restrict PHP file access via open_basedir in php.ini
open_basedir = "/var/www/html/wordpress/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"
allow_url_include = Off
allow_url_fopen = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
