Title: Object vulnerability question
Last modified: April 5, 2023

---

# Object vulnerability question

 *  Resolved [katmacau](https://wordpress.org/support/users/katmacau/)
 * (@katmacau)
 * [3 years, 2 months ago](https://wordpress.org/support/topic/object-vulnerability-question/)
 * hello. I saw your recent update fixes a php object vulnerability. Can non logged
   in users exploit this? Or is it only logged in users? What should you look for
   to see if your site has been compromised?
 * thanks

Viewing 1 replies (of 1 total)

 *  Plugin Contributor [Matt Shaw](https://wordpress.org/support/users/mattshaw/)
 * (@mattshaw)
 * [3 years, 2 months ago](https://wordpress.org/support/topic/object-vulnerability-question/#post-16633504)
 * Hi there,
 * This vulnerability would require your site (i.e. in another theme or plugin) 
   to have a class with a vulnerable `__wakeup()` or `__unserialize()` magic method.
   An attacker would have to know (or guess) that the class is included on your 
   site. This should be relatively uncommon in well-meaning themes or plugins, and
   we haven’t had any reports of this happening in the wild.
 * The signs of it being exploited will depend on the vulnerable third party class
   or theme being exploited. You may also be able to check the database to look 
   for serialized objects in ACF fields or field groups. If you think your site 
   might have been compromised, we would recommend reaching out to a trusted security
   expert for further analysis.
 * Upgrading ACF to the latest version will prevent this from being exploited using
   ACF. Alternatively, if you’re still on version 5 of ACF, we’ve backported the
   security fix into version 5.12.5, which can be downloaded from the “Previous 
   Versions” section [here](https://wordpress.org/plugins/advanced-custom-fields/advanced/).

Viewing 1 replies (of 1 total)

The topic ‘Object vulnerability question’ is closed to new replies.

 * ![](https://ps.w.org/advanced-custom-fields/assets/icon.svg?rev=3207824)
 * [Advanced Custom Fields (ACF®)](https://wordpress.org/plugins/advanced-custom-fields/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/advanced-custom-fields/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/advanced-custom-fields/)
 * [Active Topics](https://wordpress.org/support/plugin/advanced-custom-fields/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/advanced-custom-fields/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/advanced-custom-fields/reviews/)

## Tags

 * [ACF](https://wordpress.org/support/topic-tag/acf/)

 * 2 replies
 * 2 participants
 * Last reply from: [Matt Shaw](https://wordpress.org/support/users/mattshaw/)
 * Last activity: [3 years, 2 months ago](https://wordpress.org/support/topic/object-vulnerability-question/#post-16633504)
 * Status: resolved