Skip to main content

Sympl Repeater ACF EUVDEUVD-2026-42176

| CVE-2026-10570 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-xr3q-2xmr-89w4
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Author-level credentials required (PR:L); victim must passively visit the injected page to trigger execution (UI:R); scope change captures cross-browser impact (S:C); no availability impact warranted.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:37 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
MEDIUM 6.4

DescriptionCVE.org

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symp_arfe_replace_content() function, which uses str_replace() to substitute raw ACF field values (retrieved via get_field()) directly into Elementor-rendered HTML without any escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Author-level WordPress account
Delivery
Create or edit page with ACF repeater field
Exploit
Inject JavaScript payload into repeater field value
Install
Plugin stores unsanitized payload in database
C2
Victim user navigates to affected page
Execute
symp_arfe_replace_content() renders raw field value into Elementor HTML
Impact
Malicious script executes in victim browser

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the Sympl Repeater for ACF and Elementor plugin (version 2.3 or earlier) installed and active alongside both the Advanced Custom Fields (ACF) plugin and the Elementor page builder, as the vulnerable symp_arfe_replace_content() function is specifically invoked within the ACF-Elementor integration pipeline. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 Medium with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N signals a network-reachable, low-complexity, authenticated (Author-level) attack with scope-changed impact reaching visiting users' browsers - a realistic threat profile on multi-author WordPress sites such as blogs, news portals, and collaborative content platforms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding Author-level credentials on a target WordPress site creates or edits a post using the Sympl Repeater for ACF and Elementor plugin, inserting a JavaScript payload - such as a cookie-exfiltration script pointing to an attacker-controlled endpoint - into an ACF repeater field value. When any subsequent visitor, including a site administrator, loads the affected page, symp_arfe_replace_content() injects the unsanitized field value into the Elementor HTML output, executing the attacker's script in the victim's browser. …
Remediation No patched version is confirmed in the available data - the CPE wildcard covers all versions through 2.3 with no upper-bound fix release identified, and the Wordfence advisory does not reference a patched version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy