Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Author-level credentials required (PR:L); victim must passively visit the injected page to trigger execution (UI:R); scope change captures cross-browser impact (S:C); no availability impact warranted.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Sympl Repeater for ACF and Elementor plugin (version 2.3 or earlier) installed and active alongside both the Advanced Custom Fields (ACF) plugin and the Elementor page builder, as the vulnerable symp_arfe_replace_content() function is specifically invoked within the ACF-Elementor integration pipeline. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 Medium with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N signals a network-reachable, low-complexity, authenticated (Author-level) attack with scope-changed impact reaching visiting users' browsers - a realistic threat profile on multi-author WordPress sites such as blogs, news portals, and collaborative content platforms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding Author-level credentials on a target WordPress site creates or edits a post using the Sympl Repeater for ACF and Elementor plugin, inserting a JavaScript payload - such as a cookie-exfiltration script pointing to an attacker-controlled endpoint - into an ACF repeater field value. When any subsequent visitor, including a site administrator, loads the affected page, symp_arfe_replace_content() injects the unsanitized field value into the Elementor HTML output, executing the attacker's script in the victim's browser. … |
| Remediation | No patched version is confirmed in the available data - the CPE wildcard covers all versions through 2.3 with no upper-bound fix release identified, and the Wordfence advisory does not reference a patched version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42176
GHSA-xr3q-2xmr-89w4