GCVE - cpe:2.3:a:advancedcustomfields:advanced_custom

Approved changes feed: RSS · Atom

cpe:2.3:a:advancedcustomfields:advanced_custom_fields:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Advancedcustomfields (`e8a84e8d-53f9-5756-91a6-d5d46272298f`)
Product	Advanced Custom Fields (`0538de15-a734-5fa4-a59e-a2fb65186789`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/jazbek/advanced-custom-fields`	purl2cpe	2026-06-01 10:14:50.575595

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-1196`	vulnerable	2026-06-08 05:52:34.084895	Advanced Custom Fields - Contributor+ PHP Object Injection The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Published: 2023-05-02T08:39:29.005Z Updated: 2025-01-30T14:21:42.963Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/cf376ca2-92f6-44ff-929a-ace809460a33 https://wpscan.com/vulnerability/8e5ec88e-0e66-44e4-bbf2-74155d849ede	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-40696`	vulnerable	2026-06-08 05:48:27.915958	WordPress Advanced Custom Fields Plugin 3.1.1-6.0.2 is vulnerable to Sensitive Data Exposure LOW (3.7) Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through 6.0.2. Published: 2024-01-08T22:02:53.269Z Updated: 2026-04-28T16:07:48.620Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-3-1-1-6-0-2-custom-field-value-exposure?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-2594`	vulnerable	2026-06-08 05:43:35.867601	Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. Published: 2022-08-22T15:05:03.000Z Updated: 2024-08-03T00:39:08.043Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 https://www.pritect.net/blog/advanced-custom-fields-5-12-3-can-allow-unauthenticated-users-to-upload-arbitrary-files	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-20867`	vulnerable	2026-06-08 05:29:10.730350	Details available Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors. Published: 2021-12-13T06:40:16.000Z Updated: 2024-08-03T17:53:22.983Z Open on db.gcve.eu Reference links https://www.advancedcustomfields.com/ https://wordpress.org/plugins/advanced-custom-fields/ https://jvn.jp/en/jp/JVN09136401/index.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-20866`	vulnerable	2026-06-08 05:29:10.729980	Details available Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. Published: 2021-12-13T06:40:14.000Z Updated: 2024-08-03T17:53:22.640Z Open on db.gcve.eu Reference links https://www.advancedcustomfields.com/ https://wordpress.org/plugins/advanced-custom-fields/ https://jvn.jp/en/jp/JVN09136401/index.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-20865`	vulnerable	2026-06-08 05:29:10.728696	Details available Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. Published: 2021-12-13T06:40:13.000Z Updated: 2024-08-03T17:53:22.754Z Open on db.gcve.eu Reference links https://www.advancedcustomfields.com/ https://wordpress.org/plugins/advanced-custom-fields/ https://jvn.jp/en/jp/JVN09136401/index.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-36172`	vulnerable	2026-06-08 05:25:02.528435	Details available The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. Published: 2021-01-06T14:17:41.000Z Updated: 2024-08-04T17:23:09.354Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/advanced-custom-fields/#developers	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-20986`	vulnerable	2026-06-08 05:11:28.277673	Details available The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors. Published: 2019-08-22T19:38:42.000Z Updated: 2024-08-05T12:19:27.499Z Open on db.gcve.eu Reference links https://wordpress.org/plugins/advanced-custom-fields/#developers https://www.advancedcustomfields.com/blog/acf-5-7-8-release/ https://www2.deloitte.com/de/de/pages/risk/articles/wordpress-plugin-xss.html https://www.advancedcustomfields.com/changelog/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Advanced Custom Fields

PURL mappings

Vulnerability references

Contribute