Medium 5.3
2026-04-22< 6.7.1
Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters
Advanced Custom Fields (ACF®)
Minimum safe version
6.7.1
Update to 6.7.1 or later to address 35 fixable vulnerabilities
Latest available6.8.0 ✓Affected up to6.1.7 ⚠
N/A
2025-08-08< 6.4.3
WordPress plugin "Advanced Custom Fields" vulnerable to HTML injection
Low 3.4
2025-08-08< 6.4.3
CVE-2025-54940
N/A
2025-08-05< 3.5.2
WordPress Advanced Custom Fields Plugin <= 3.5.1 is vulnerable to Remote Code Execution (RCE)
Critical 10.0
2025-08-05< 3.5.2
CVE-2012-10025
N/A
2024-10-16< 6.3.9
WordPress Advanced Custom Fields Plugin <= 6.3.6.2 is vulnerable to Cross Site Scripting (XSS)
N/A
2024-10-15< 6.3.9
Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 5.3
2024-10-17< 6.3.9
CVE-2024-49593
N/A
2024-10-07< 6.3.8
Advanced Custom Fields <= 6.3.8 - Authenticated (Admin+) Limited Arbitrary Function Call
Medium 6.6
2024-11-15< 6.3.8
CVE-2024-9529
Medium 6.1
2024-09-04< 6.3.6
CVE-2024-45429
Medium 6.5
2024-06-20< 6.3.0
CVE-2024-4565
N/A
2024-01-16< 6.2.5
WordPress Advanced Custom Fields Plugin < 6.2.5 is vulnerable to Cross Site Scripting (XSS)
Medium 5.4
2024-02-05< 6.2.5
CVE-2023-6701
Medium 5.4
2023-08-21≥ 6.1.0 and ≤ 6.1.7
CVE-2023-40068
High 7.1
2023-05-10< 6.1.6
CVE-2023-30777
N/A
2023-08-03< 6.1.8
WordPress Advanced Custom Fields Plugin <= 6.1.7 is vulnerable to Cross Site Scripting (XSS)
N/A
2023-08-03< 6.1.8
Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
N/A
2023-05-04< 6.1.6
Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status'
High 8.8
2023-05-02< 5.12.5
CVE-2023-1196
N/A
2023-04-04< 5.12.5
WordPress Advanced Custom Fields Plugin <= 6.0.7 is vulnerable to PHP Object Injection
N/A
2013-01-03< 3.5.2
Advanced Custom Fields <= 3.5.1 - Remote Code Execution via Remote File Inclusion
N/A
2019-02-15< 5.7.12
Advanced Custom Fields <= 5.7.11 - PHP Object Injection
Low 3.7
2024-01-08≥ 3.1.1 and ≤ 6.0.2
CVE-2022-40696
N/A
< 3.5.2
Advanced Custom Fields <= 3.5.1 - Remote File Inclusion
N/A
< 5.7.12
Advanced Custom Fields <= 5.7.10 - Unserialize of user input
High 8.8
2022-08-22< 5.12.3
CVE-2022-2594
N/A
2013-01-03< 3.5.2
WordPress Advanced Custom Fields Plugin - Remote File Inclusion
N/A
2016-08-08< 1.1.13
WordPress Advanced Custom Fields Plugin <= 1.1.12 - Stored Cross Site Scripting
N/A
2018-12-10< 5.7.8
WordPress Advanced Custom Fields plugin <= 5.7.7 - Authenticated Cross-Site Scripting (XSS) vulnerability
N/A
2021-08-25< 5.10
WordPress Advanced Custom Fields plugin <= 5.9.9 - Arbitrary ACF Data/Field Groups View and Fields Move vulnerability
Medium 6.5
2022-03-31< 5.12.1
CVE-2022-23183
Medium 5.4
2019-08-22< 5.7.8
CVE-2018-20986
Medium 6.1
2021-01-06< 5.8.12
CVE-2020-36172
Medium 6.5
2025-10-03< 5.12.1
WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control
Medium 6.5
2025-10-03< 5.11
WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control
High 7.5
2025-10-03< 5.11
WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control