385 matches found
Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution
Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of calluserfuncarray in prepareform function, letting unauthenticated attackers execute arbitrary code remotely. id: CVE-2025-13486 info: name: Advanced Custom Fields...
CVE-2025-14533 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insertuser' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to...
CVE-2025-14533
The Wordfence disclosure confirms CVE-2025-14533 affects the Advanced Custom Fields: Extended plugin for WordPress (
CVE-2025-14533 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insertuser' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to...
WordPress Advanced Custom Fields: Extended plugin <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action vulnerability
Unauthenticated Privilege Escalation via Insert User Form Action vulnerability discovered by andrea bocchetti in WordPress Plugin Advanced Custom Fields: Extended versions = 0.9.2.1...
WordPress plugin Advanced Custom Fields: Extended security vulnerabilities
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
PT-2026-3548
Advanced Custom Fields: Extended Plugin Advanced Custom Fields: Extended versions up to and including 0.9.2.1 Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows unauthenticated attackers to gain administrator access. This is due to insufficient restrictio...
100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin
On December 10th, 2025, we received a submission for a Privilege Escalation vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative...
CVE-2023-40068
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative...
CVE-2024-34761
Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code 'Code Injection' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10...
CVE-2024-34762
Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n/a before 6.2....
CVE-2025-12030
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the updateitempermissionscheck method, which only verifies that the current user has the editposts capability...
CVE-2025-12030 ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the updateitempermissionscheck method, which only verifies that the current user has the editposts capability...
WordPress plugin ACF to REST API 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
PT-2026-1585
Name of the Vulnerable Software and Affected Versions ACF to REST API plugin for WordPress versions through 3.3.4 Description The ACF to REST API plugin for WordPress is affected by an Insecure Direct Object Reference issue. Insufficient capability checks in the update item permissions check meth...
WordPress ACF to REST API plugin <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification vulnerability
Insecure Direct Object Reference to Authenticated Contributor+ ACF Field/Option Modification vulnerability discovered by Kai Aizen in WordPress Plugin ACF to REST API versions = 3.3.4...
CVE-2025-12067
CVE-2025-12067 involves the WordPress plugin Table Field Add-on for ACF and SCF. The issue is stored XSS via Table Cell Content in versions up to 1.3.30, caused by insufficient input sanitization and output escaping. The vulnerability can be triggered by authenticated attackers with Author-level ...
CVE-2025-12067 Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content
The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
WordPress plugin Table Field Add-on for ACF and SCF 跨站脚本漏洞
WordPress and the WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host a personal blog site on a PHP and MySQL based...
Exploit for CVE-2025-13486
CVE-2025-13486 The Advanced Custom...