Hi there,
This vulnerability would require your site (i.e. in another theme or plugin) to have a class with a vulnerable __wakeup() or __unserialize() magic method. An attacker would have to know (or guess) that the class is included on your site. This should be relatively uncommon in well-meaning themes or plugins, and we haven’t had any reports of this happening in the wild.
The signs of it being exploited will depend on the vulnerable third party class or theme being exploited. You may also be able to check the database to look for serialized objects in ACF fields or field groups. If you think your site might have been compromised, we would recommend reaching out to a trusted security expert for further analysis.
Upgrading ACF to the latest version will prevent this from being exploited using ACF. Alternatively, if you’re still on version 5 of ACF, we’ve backported the security fix into version 5.12.5, which can be downloaded from the “Previous Versions” section here.
