Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-4812 - Advanced Custom Fields Plugin
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
PLUGIN
Advanced Custom Fields
CVE-2026-4812
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-9529 - Advanced Custom Fields Plugin
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.
PLUGIN
Advanced Custom Fields
CVE-2024-9529
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-49593 - Advanced Custom Fields Plugin
In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below.
PLUGIN
Advanced Custom Fields
CVE-2024-49593
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4565 - Advanced Custom Fields Plugin
The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access
PLUGIN
Advanced Custom Fields
CVE-2024-4565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6701 - Advanced Custom Fields Plugin
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Custom Fields
CVE-2023-6701
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1196 - Advanced Custom Fields Plugin
The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.
PLUGIN
Advanced Custom Fields
CVE-2023-1196
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2594 - Advanced Custom Fields Plugin
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.
PLUGIN
Advanced Custom Fields
CVE-2022-2594
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24241 - Advanced Custom Fields Plugin
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
PLUGIN
Advanced Custom Fields
CVE-2021-24241
Risk Score