Lucene search
+L

385 matches found

nuclei
nuclei
added 2026/02/04 7:0 a.m.30 views

Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution

Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of calluserfuncarray in prepareform function, letting unauthenticated attackers execute arbitrary code remotely. id: CVE-2025-13486 info: name: Advanced Custom Fields...

9.8CVSS8.7AI score0.73557EPSS
Exploits10References2
vulnrichment
vulnrichment
added 2026/01/20 9:25 a.m.6 views

CVE-2025-14533 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insertuser' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to...

9.8CVSS5.5AI score0.00982EPSS
Exploits0References4
cve
cve
added 2026/01/20 9:25 a.m.46 views

CVE-2025-14533

The Wordfence disclosure confirms CVE-2025-14533 affects the Advanced Custom Fields: Extended plugin for WordPress (

9.8CVSS5.5AI score0.00982EPSS
Exploits0References4
cvelist
cvelist
added 2026/01/20 9:25 a.m.29 views

CVE-2025-14533 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insertuser' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to...

9.8CVSS0.00982EPSS
Exploits0References4
patchstack
patchstack
added 2026/01/20 6:47 a.m.14 views

WordPress Advanced Custom Fields: Extended plugin <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action vulnerability

Unauthenticated Privilege Escalation via Insert User Form Action vulnerability discovered by andrea bocchetti in WordPress Plugin Advanced Custom Fields: Extended versions = 0.9.2.1...

9.8CVSS5.4AI score0.00982EPSS
Exploits0References1Affected Software1
cnnvd
cnnvd
added 2026/01/20 12:0 a.m.6 views

WordPress plugin Advanced Custom Fields: Extended security vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

9.8CVSS6AI score0.00982EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/01/20 12:0 a.m.16 views

PT-2026-3548

Advanced Custom Fields: Extended Plugin Advanced Custom Fields: Extended versions up to and including 0.9.2.1 Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows unauthenticated attackers to gain administrator access. This is due to insufficient restrictio...

9.8CVSS5.3AI score0.00982EPSS
Exploits0References26
wordfence
wordfence
added 2026/01/19 9:23 p.m.14 views

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin

On December 10th, 2025, we received a submission for a Privilege Escalation vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative...

9.8CVSS5.7AI score0.00982EPSS
Exploits0
redhatcve
redhatcve
added 2026/01/09 12:30 p.m.6 views

CVE-2023-40068

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative...

5.4CVSS6.7AI score0.0148EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/01/09 8:35 a.m.23 views

CVE-2024-34761

Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code 'Code Injection' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10...

8.5CVSS6.9AI score0.00429EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/01/09 8:34 a.m.15 views

CVE-2024-34762

Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n/a before 6.2....

9.9CVSS6.8AI score0.0059EPSS
Exploits0References1
nvd
nvd
added 2026/01/07 12:16 p.m.9 views

CVE-2025-12030

The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the updateitempermissionscheck method, which only verifies that the current user has the editposts capability...

4.3CVSS0.00289EPSS
Exploits1References3
cvelist
cvelist
added 2026/01/07 8:21 a.m.31 views

CVE-2025-12030 ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification

The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the updateitempermissionscheck method, which only verifies that the current user has the editposts capability...

4.3CVSS0.00289EPSS
Exploits1References3
cnnvd
cnnvd
added 2026/01/07 12:0 a.m.10 views

WordPress plugin ACF to REST API 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

4.3CVSS6.3AI score0.00289EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2026/01/07 12:0 a.m.14 views

PT-2026-1585

Name of the Vulnerable Software and Affected Versions ACF to REST API plugin for WordPress versions through 3.3.4 Description The ACF to REST API plugin for WordPress is affected by an Insecure Direct Object Reference issue. Insufficient capability checks in the update item permissions check meth...

4.3CVSS6.1AI score0.00289EPSS
Exploits1References5
patchstack
patchstack
added 2026/01/06 10:46 p.m.14 views

WordPress ACF to REST API plugin <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ ACF Field/Option Modification vulnerability discovered by Kai Aizen in WordPress Plugin ACF to REST API versions = 3.3.4...

4.3CVSS7AI score0.00289EPSS
Exploits1References1Affected Software1
cve
cve
added 2026/01/06 7:22 a.m.19 views

CVE-2025-12067

CVE-2025-12067 involves the WordPress plugin Table Field Add-on for ACF and SCF. The issue is stored XSS via Table Cell Content in versions up to 1.3.30, caused by insufficient input sanitization and output escaping. The vulnerability can be triggered by authenticated attackers with Author-level ...

6.4CVSS4.7AI score0.00159EPSS
Exploits0References2
cvelist
cvelist
added 2026/01/06 7:22 a.m.36 views

CVE-2025-12067 Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content

The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00159EPSS
Exploits0References2
cnnvd
cnnvd
added 2026/01/06 12:0 a.m.8 views

WordPress plugin Table Field Add-on for ACF and SCF 跨站脚本漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host a personal blog site on a PHP and MySQL based...

6.4CVSS5.5AI score0.00159EPSS
Exploits0References2
githubexploit
githubexploit
added 2025/12/05 7:57 a.m.227 views

Exploit for CVE-2025-13486

CVE-2025-13486 The Advanced Custom...

9.8CVSS7.3AI score0.73557EPSS
Exploits10
Rows per page
Query Builder