Product
advancedcustomfields advanced custom fields
20 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-48906
CVE-2024-9529
CVE-2024-45429
CVE-2024-4565
CVE-2023-6701
CVE-2022-40696
CVE-2023-22676
CVE-2023-40068
CVE-2023-30777
CVE-2023-1196
CVE-2022-2594
CVE-2022-23183
CVE-2021-24865
CVE-2021-20867
CVE-2021-20866
CVE-2021-20865
CVE-2021-24241
CVE-2020-36172
CVE-2015-9479
CVE-2018-20986
>= 1.0.0 and <= 2.8.12
The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
< 6.3.9
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fiel
<= 6.3.5
Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro vers
< 6.3
The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to
<= 6.2.4
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all
>= 3.1.1 and <= 6.0.2
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affe
<= 1.4.12
Missing Authorization vulnerability in Anders Thorborg.This issue affects Anders Thorborg: from n/a through 1.4.12.
>= 6.1.0 and <= 6.1.7
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0
< 6.1.6
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fiel
>= 5.0.0 and < 5.12.5
The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllab
>= 5.0.0 and < 5.12.3
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauth
< 5.12.1
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions pri
< 0.8.8.7
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before usi
< 5.11
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorizatio
< 5.11
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorizatio
< 5.11
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorizatio
< 5.9.1
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it i
< 5.8.12
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially
<= 2015-07-03
The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blue
< 5.7.8
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.