Advanced Custom Fields Security Vulnerabilities and Issues — Advanced Custom Fields CVE List

AdvancedcustomfieldsAdvanced Custom Fields

15 matches found

CVE•added 2023/05/10 5:50 a.m.•414 views

CVE-2023-30777

Summary: CVE-2023-30777 is a reflected XSS affecting the WordPress plugins Advanced Custom Fields (Pro) and Advanced Custom Fields, versioned

7.1CVSS6AI score0.38768EPSS

Web

CVE•added 2022/08/22 3:5 p.m.•274 views

CVE-2022-2594

The CVE-2022-2594 entry concerns the WordPress plugins Advanced Custom Fields (ACF) and Advanced Custom Fields Pro (ACF Pro) prior to version 5.12.3. Affects ACF and ACF Pro when a frontend form is available, allowing unauthenticated users to upload files permitted by default WordPress configurat...

8.8CVSS8.7AI score0.01264EPSS

Web

CVE•added 2022/03/31 7:20 a.m.•233 views

CVE-2022-23183

CVE-2022-23183 affects WordPress plugin Advanced Custom Fields (ACF) and Advanced Custom Fields Pro, with versions prior to 5.12.1 vulnerable to missing authorization. A remote authenticated attacker could view database information without proper permissions. Root cause: insufficient access contr...

6.5CVSS6AI score0.01437EPSS

CVE•added 2023/05/02 8:39 a.m.•196 views

CVE-2023-1196

The CVE-2023-1196 entry concerns the Advanced Custom Fields (ACF) Free and Pro WordPress plugins. Affected versions are 5.x before 5.12.5 and 6.x before 6.1.0. The root cause is unserialize of user-controllable data, enabling PHP Object Injection when a suitable gadget is present. Valid risk is t...

8.8CVSS8.8AI score0.0108EPSS

CVE•added 2024/11/15 6:0 a.m.•124 views

CVE-2024-9529

CVE-2024-9529 affects WordPress plugins Secure Custom Fields (Secure Custom Fields WordPress plugin) up to versions before 6.3.9 and 6.3.6.3, and Advanced Custom Fields Pro up to before 6.3.9. Root cause: the plugins’ Settings Import functionality does not prevent executing arbitrary PHP function...

6.6CVSS6.4AI score0.00435EPSS

CVE•added 2024/02/05 9:22 p.m.•117 views

CVE-2023-6701

CVE-2023-6701 affects the WordPress plugin Advanced Custom Fields (ACF) , with a stored XSS vulnerability in a custom text field. Affected versions: all up to and including 6.2.4 . Root cause: insufficient input sanitization and output escaping. Exploitation requires authenticated access (contrib...

6.4CVSS5.2AI score0.00523EPSS

CVE•added 2023/08/21 8:13 a.m.•114 views

CVE-2023-40068

CVE-2023-40068 is a cross-site scripting vulnerability in Advanced Custom Fields (ACF) and ACF Pro versions 6.1.0–6.1.7. An attacker with administrative privileges (authenticated) can trigger the browser to execute arbitrary scripts on the logged-in user’s session, enabling potential cookie/crede...

5.4CVSS5.4AI score0.0148EPSS

CVE•added 2021/04/22 9:0 p.m.•90 views

CVE-2021-24241

CVE-2021-24241 affects the WordPress plugin Advanced Custom Fields Pro (before 5.9.1). The issue is a reflected XSS in the update settings page caused by insufficient escaping of the generated update URL when output in an attribute. Impact described in multiple sources includes the possibility of...

6.1CVSS6AI score0.01387EPSS

CVE•added 2021/12/13 6:40 a.m.•70 views

CVE-2021-20866

The CVE-2021-20866 vulnerability affects Advanced Custom Fields (ACF) and ACF Pro prior to version 5.11. The issue is a missing authorization in obtaining the user list, leading to potential information disclosure of unauthorized user data via unspecified vectors. Public sources in Patchstack ind...

6.5CVSS6.2AI score0.01662EPSS

CVE•added 2021/01/06 2:17 p.m.•68 views

CVE-2020-36172

The CVE-2020-36172 entry concerns the WordPress plugin Advanced Custom Fields. Concrete details from connected sources show that the plugin (versions before 5.8.12) mishandles escaping of strings in Select2 dropdowns, which can lead to Cross-Site Scripting (XSS). There is no explicit exploit path...

6.1CVSS6.2AI score0.00896EPSS

CVE•added 2024/06/20 6:0 a.m.•68 views

CVE-2024-4565

CVE-2024-4565 affects Advanced Custom Fields (ACF) for WordPress and ACF Pro prior to version 6.3, where a shortcode can display a post’s custom field values without proper access checks. This is an information disclosure issue involving unauthorized access to field data via shortcode rendering. ...

7.5CVSS6.7AI score0.00428EPSS

CVE•added 2019/08/22 7:38 p.m.•64 views

CVE-2018-20986

CVE-2018-20986 concerns the WordPress plugin Advanced Custom Fields (vendor: a.k.a. Elliot Condon) prior to version 5.7.8. The vulnerability is an XSS issue reported as “XSS by authors,” indicating that unauthenticated or authenticated users with certain roles may inject and execute client-side s...

5.4CVSS5.3AI score0.00948EPSS

CVE•added 2024/01/08 10:2 p.m.•60 views

CVE-2022-40696

CVE-2022-40696 affects WordPress plugin WP Engine Advanced Custom Fields (ACF): versions 3.1.1 through 6.0.2 are vulnerable to information disclosure. The underlying issue is described as a Custom Field Value Exposure via parsed shortcode from user input, leading to disclosure of sensitive data t...

7.5CVSS7.3AI score0.0052EPSS

CVE•added 2021/12/13 6:40 a.m.•58 views

CVE-2021-20867

CVE-2021-20867 affects Advanced Custom Fields (ACF) and ACF Pro versions prior to 5.11. The root cause is a missing authorization mechanism for moving field groups, which could allow an attacker to move field groups they should not access via unspecified vectors. Public sources in the connected d...

6.5CVSS6.4AI score0.01368EPSS

CVE•added 2021/12/13 6:40 a.m.•56 views

CVE-2021-20865

CVE-2021-20865 affects the WordPress plugins Advanced Custom Fields (ACF) and Advanced Custom Fields Pro, with vulnerable versions prior to 5.11. The root cause is a missing authorization in the database-browsing pathway, potentially allowing an attacker to access unauthorized data via unspecifie...

7.5CVSS7.3AI score0.02462EPSS