WordPress Advanced Custom Fields (ACF®) plugin <= 6.8.1 - Unauthenticated Arbitrary Post Modification vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Broken Access Control
Score:
5.3
Fixed in Version 6.8.2

Timeline

Publicly Published
2026-05-30
Created
2026-06-02

WordPress Advanced Custom Fields (ACF®) plugin <= 6.8.1 - Unauthenticated Broken Access Control vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Broken Access Control
Score:
5.3
Fixed in Version 6.8.2

Timeline

Publicly Published
2026-05-27
Created
2026-05-27

WordPress Advanced Custom Fields (ACF®) plugin <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Broken Access Control
Score:
5.3
Fixed in Version 6.7.1

Timeline

Publicly Published
2026-04-15
Created
2026-04-15

WordPress Advanced Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Cross Site Scripting (XSS)
Score:
5.9
Fixed in Version 6.3.6.3

Timeline

Publicly Published
2024-10-16
Created
2024-10-16

WordPress Advanced Custom Fields plugin <= 6.3.6 - Administrator+ Limited Arbitrary Function Call vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Arbitrary Code Execution
Score:
5.4
Fixed in Version 6.3.6.1

Timeline

Publicly Published
2024-10-07
Created
2024-10-07

WordPress Advanced Custom Fields plugin < 6.3 - Auth. Custom Field Access

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Sensitive Data Exposure
Score:
4.3
Fixed in Version 6.3

Timeline

Publicly Published
2024-06-03
Created
2024-06-03

Wordpress Advanced Custom Fields plugin < 6.2.5 - Contributor+ Stored Cross-Site Scripting vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
Cross Site Scripting (XSS)
Score:
6.5
Fixed in Version 6.2.5

Timeline

Publicly Published
2024-01-16
Created
2024-01-16

Wordpress Advanced Custom Fields plugin <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection vulnerability

Don't mute a vulnerability until you've confirmed your current version has a fix, or the issue doesn't affect your site.

Type:
PHP Object Injection
Score:
8.5
Fixed in Version 6.1.0

Timeline

Publicly Published
2023-04-04
Created
2023-04-04