Really Simple Security logo

Log out
Get PRO

Latest

Input validation vulnerability in Advanced Custom Fields 6.3.6.2

  • Severity: medium-risk
  • Status: Fixed
  • Publication: October 15, 2024

The plugins Advanced Custom Fields and Secure Custom Fields for WordPress have a security vulnerability that allows attackers to inject harmful scripts into pages. This can only happen if the attacker has administrator-level access and the website is a multi-site installation or has disabled a security feature called unfiltered_html. To fix this issue, it is important to update to the latest version of ACF. Please refer to the provided instructions for how to do this. It is also important to note that only the minified files in Secure Custom Fields have been fixed, so the original source files may still be vulnerable.

Detected in:

Advanced Custom Fields (ACF) fixed vulnerable versions: >= * <= 6.3.6
Advanced Custom Fields (ACF®) fixed vulnerable versions:
Advanced Custom Fields Pro fixed vulnerable versions: >= * <= 6.3.8
Secure Custom Fields fixed vulnerable versions:

This information is sourced from www.wpvulnerability.com. An open-source database of vulnerabilities maintained by the community. Help us out by submitting vulnerabilities!

Version compare shows which versions have a vulnerability. For example: >= 2.2.8 <= 2.2.21 means:

> from 2.2.8
= including 2.2.8 & 2.2.21
< to 2.2.21

  • Incorrect?

Is this information incorrect? Please leave us a message.