Advanced Custom Fields

The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.

Published: 2024-11-15T06:00:08.369Z
Updated: 2024-11-15T18:38:37.432Z

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access

Published: 2024-06-20T06:00:02.546Z
Updated: 2025-08-27T12:00:41.514Z

Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.

Published: 2024-06-10T15:34:32.438Z
Updated: 2026-04-28T16:09:50.172Z

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

Published: 2023-08-21T08:13:50.271Z
Updated: 2024-10-04T17:57:33.499Z

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.

Published: 2023-05-10T05:50:04.023Z
Updated: 2026-04-28T16:08:19.637Z

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.

Published: 2022-08-22T15:05:03.000Z
Updated: 2024-08-03T00:39:08.043Z

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.

Published: 2022-03-31T07:20:54.000Z
Updated: 2024-08-03T03:36:20.034Z

The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.

Published: 2021-04-22T21:00:51.000Z
Updated: 2024-08-03T19:21:18.775Z

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.

Published: 2021-12-13T06:40:16.000Z
Updated: 2024-08-03T17:53:22.983Z

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors.

Published: 2021-12-13T06:40:14.000Z
Updated: 2024-08-03T17:53:22.640Z

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors.

Published: 2021-12-13T06:40:13.000Z
Updated: 2024-08-03T17:53:22.754Z