Skip to main content

Advanced Custom Fields

15 CVEs product

Monthly

CVE-2026-48906 CRITICAL Act Now

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Authentication Bypass Novarain Tassos Framework Plg System Nrframework Convert Forms Engagebox Google Structured Data +5
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2024-9529 MEDIUM POC This Month

The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure PHP Advanced Custom Fields
NVD WPScan
CVSS 3.1
6.6
EPSS
0.4%
CVE-2024-45429 MEDIUM This Month

Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Advanced Custom Fields
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-4565 MEDIUM POC This Month

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Advanced Custom Fields
NVD WPScan
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-6701 MEDIUM PATCH This Month

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Advanced Custom Fields Advanced Custom Fields
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-22676 LOW Monitor

Missing Authorization vulnerability in Anders Thorborg.4.12. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Advanced Custom Fields Advanced Custom Fields
NVD
CVSS 3.1
3.1
EPSS
0.3%
CVE-2023-40068 MEDIUM This Month

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Advanced Custom Fields
NVD
CVSS 3.1
5.4
EPSS
1.5%
CVE-2023-30777 MEDIUM POC THREAT This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Advanced Custom Fields
NVD
CVSS 3.1
6.1
EPSS
38.8%
CVE-2023-1196 HIGH POC This Week

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization Advanced Custom Fields
NVD WPScan
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-2594 HIGH POC This Week

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload Advanced Custom Fields
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-23183 MEDIUM This Month

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-20867 MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-20866 MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-20865 HIGH This Week

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-24241 MEDIUM POC This Month

The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Advanced Custom Fields
NVD GitHub WPScan
CVSS 3.1
6.1
EPSS
1.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Arbitrary file deletion in the Novarain/Tassos Framework system plugin (plg_system_nrframework) and the suite of Tassos.gr Joomla extensions that bundle it lets remote unauthenticated attackers delete arbitrary files on affected sites. The CVSS 4.0 vector (PR:N/UI:N) and the 'Authentication Bypass' tag indicate no credentials or interaction are needed, and the high integrity/availability impact reflects that deleting core files such as Joomla's configuration.php can lead to denial of service or site takeover. There is no public exploit identified at time of analysis, and EPSS is low (0.07%, 21st percentile) with no CISA KEV listing, indicating no observed exploitation despite the critical 9.3 base score.

Authentication Bypass Novarain Tassos Framework Plg System Nrframework Convert Forms +7
NVD
EPSS 0% CVSS 6.6
MEDIUM POC This Month

The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure PHP +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Advanced Custom Fields
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Advanced Custom Fields
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Advanced Custom Fields +1
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

Missing Authorization vulnerability in Anders Thorborg.4.12. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Advanced Custom Fields Advanced Custom Fields
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Advanced Custom Fields
NVD
EPSS 39% CVSS 6.1
MEDIUM POC THREAT This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Advanced Custom Fields
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization +1
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM This Month

Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Advanced Custom Fields
NVD GitHub WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy