8 matches found
CVE-2026-8809
Summary: CVE-2026-8809 affects the Advanced Custom Fields: Extended (ACFE) WordPress plugin up to version 0.9.2.5. The root cause is an after_validate_save_post() path that unconditionally trusts the attacker-controlled _acf_post_id POST parameter to choose a cleanup branch, bypassing authenticat...
CVE-2025-15463
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This make...
CVE-2025-15463
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This make...
PT-2026-40456
Name of the Vulnerable Software and Affected Versions Advanced Custom Fields: Extended versions prior to 0.9.2.4 Description The Advanced Custom Fields: Extended plugin for WordPress allows unauthenticated attackers to execute arbitrary shortcodes. This occurs because the software fails to proper...
100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin
On December 10th, 2025, we received a submission for a Privilege Escalation vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative...
WordPress plugin Advanced Custom Fields Extended 代码注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code injection...
PT-2023-32013 · WordPress · Advanced Custom Fields: Extended
Name of the Vulnerable Software and Affected Versions: Advanced Custom Fields: Extended plugin for WordPress versions up to, and including, 0.8.9.3 Description: The issue is related to Stored Cross-Site Scripting via the 'acfe form' shortcode due to insufficient input sanitization and output...
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
The plugin does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue https://example.ocm/wp-admin/options-general.php?page=acfe-options&orderby=1%20and%20sleep0.02%23...