CVE-2026-8809

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the aftervalidatesavepost function unconditionally trusting the attacker-controlled acfpostid POST...

CVE-2025-14047

CVE-2025-14047 affects the WP User Frontend plugin for WordPress. A missing capability check in Frontend_Form_Ajax::submit_post in all versions up to 4.2.4 enables unauthenticated attackers to delete attachments, per the provided description. CVSS 3.1/3.1: 5.3 base score; impact indicates Low int...

CVE-2021-32735

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component used in the pages and files section for example displayed HTML in page titles as it is. This could be used for cross-site scripting XSS attacks. Malicious authenticated Panel users can...

GHSA-RV3R-VQJJ-8C76 Cross-site scripting from content entered in the tags and multiselect fields

Introduction Cross-site scripting XSS is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such...

Cross-site scripting from content entered in the tags and multiselect fields

Introduction Cross-site scripting XSS is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such...

CVE-2022-2594

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced i...

Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload

The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...

Cross site scripting

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component used in the pages and files section for example displayed HTML in page titles as it is. This could be used for cross-site scripting XSS attacks. Malicious authenticated Panel users can...