From d3738bf36053591fc41f26a4ce734e24070e1164 Mon Sep 17 00:00:00 2001 From: Nick Keenan Date: Sun, 22 Feb 2026 12:19:43 -0800 Subject: [PATCH 1/5] Update acf-image-crop-v5.php Fix: Add capability check to perform_crop() - CVE-2023-22676 --- acf-image-crop-v5.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/acf-image-crop-v5.php b/acf-image-crop-v5.php index fd3fcae..7b5fd9c 100644 --- a/acf-image-crop-v5.php +++ b/acf-image-crop-v5.php @@ -495,6 +495,10 @@ function input_admin_enqueue_scripts() { } function perform_crop(){ + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + wp_die(); + } $targetWidth = $_POST['target_width']; $targetHeight = $_POST['target_height']; @@ -1240,4 +1244,4 @@ function delete_field( $field ) { // create field new acf_field_image_crop(); -?> \ No newline at end of file +?> From b322b97e04d067a30f2ded8a62b7cbe376986855 Mon Sep 17 00:00:00 2001 From: Nick Keenan Date: Sun, 22 Feb 2026 12:26:31 -0800 Subject: [PATCH 2/5] Update fork details and bump version number --- acf-image-crop.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/acf-image-crop.php b/acf-image-crop.php index 578a0f8..a1f8751 100644 --- a/acf-image-crop.php +++ b/acf-image-crop.php @@ -1,10 +1,10 @@ Date: Sun, 22 Feb 2026 12:30:10 -0800 Subject: [PATCH 3/5] Docs: Add fork notice and security patch details to README --- README.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 825f8e8..ebdf625 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,16 @@ # Advanced Custom Fields: Image Crop Add-on # -Contributors: andersthorborg +Contributors: andersthorborg, nickkeenan Tags: afc, advanced custom fields, image crop, image, crop Requires at least: 3.5 -Tested up to: 4.6 -Stable tag: 1.4.12 +Tested up to: 6.9.1 +Stable tag: 1.4.13 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html An image field making it possible/required for the user to crop the selected image to the specified image size or dimensions +This is a maintained fork of the abandoned [original plugin](https://github.com/andersthorborg/ACF-Image-Crop) by Anders Thorborg. + ## Description ## ACF image crop is an extended version of the native Image-field in ACF. @@ -58,9 +60,19 @@ function my_register_fields() 5. The image is cropped to the desired format, using the restrictions set under field options 6. The new format is shown using the specified preview size. The original image is kept with the field, so the image can be re-cropped at any time. +## Credits ## + +Originally developed by [Anders Thorborg](http://thorb.org). +This fork maintained by [Nick Keenan / Gameflow Interactive](https://gameflowinteractive.com) +with security patches applied. All credit for the original plugin goes to Anders. ## Changelog ## +### 1.4.13 ### +**Security fix applied:** CVE-2023-22676 / PSID ae467650d1f0 +Adds `upload_files` capability check to `perform_crop()` to prevent +subscriber-level users from modifying media library images. + ### 1.4.12 ### * Fix compatibility with ACF Pro 5.6.0 From 30205b25832c3bc0a9ee40fd84cf09305a8ed03c Mon Sep 17 00:00:00 2001 From: Nick Keenan Date: Sun, 22 Feb 2026 12:39:05 -0800 Subject: [PATCH 4/5] Broken Access Control Security Patch Addresses CVE-2023-22676 (Broken Access Control, CVSS 3.1) - Adds user capability check to `perform_crop` AJAX action to prevent unauthorized users from cropping media library images - Original report: https://patchstack.com/database/wordpress/plugin/acf-image-crop-add-on/vulnerability/wordpress-advanced-custom-fields-image-crop-add-on-plugin-1-4-12-broken-access-control --- acf-image-crop-v5.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/acf-image-crop-v5.php b/acf-image-crop-v5.php index fd3fcae..d06a4d5 100644 --- a/acf-image-crop-v5.php +++ b/acf-image-crop-v5.php @@ -494,7 +494,11 @@ function input_admin_enqueue_scripts() { } - function perform_crop(){ + function perform_crop + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( 'Unauthorized', 403 ); + wp_die(); + } $targetWidth = $_POST['target_width']; $targetHeight = $_POST['target_height']; @@ -1240,4 +1244,4 @@ function delete_field( $field ) { // create field new acf_field_image_crop(); -?> \ No newline at end of file +?> From 4e6ea2438de308676a5a61ede4630d9ef418483b Mon Sep 17 00:00:00 2001 From: Nick Keenan Date: Sun, 22 Feb 2026 12:58:18 -0800 Subject: [PATCH 5/5] Declare property explicitly for PHP 8.0+ compatibility Adds explicit class property declaration to resolve deprecated dynamic property creation warnings introduced in PHP 8.0 and fatal errors in PHP 8.2+. --- acf-image-crop-v5.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acf-image-crop-v5.php b/acf-image-crop-v5.php index d06a4d5..dffdcb7 100644 --- a/acf-image-crop-v5.php +++ b/acf-image-crop-v5.php @@ -2,7 +2,7 @@ class acf_field_image_crop extends acf_field_image { - + var $options; /* * initialize *