Skip to main content

Sympl Repeater For Acf And Elementor

1 CVEs product

Monthly

CVE-2026-10570 MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy