The most popular custom fields plugins in WordPress, Advanced Custom Fields and Advanced Custom Fields Pro (versions 6.1.5 and below, free and pro version), have been revealed to have a security vulnerability, dubbed CVE-2023-30777.
By tricking a privileged user into visiting the crafted URL path, this vulnerability allows any unauthenticated user to steal sensitive information, in this case, privilege escalation on the WordPress site. It's worth noting that CVE-2023-30777 can only be enabled by logged-in users with access to the plugin but can be enabled in a default installation or configuration of Advanced Custom Fields.
The issue was discovered and reported to the maintainers on 2 May 2023. Advanced Custom Fields plugin users are urged to update to version 6.1.6.