Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
Description
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Advanced Custom Fields: Extended plugin before 0.8.8.7 fails to sanitize order and orderby parameters, leading to SQL injection.
Vulnerability
The Advanced Custom Fields: Extended WordPress plugin before version 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL injection vulnerability [1]. The vulnerable code path is reachable when the plugin processes these parameters without proper sanitization.
Exploitation
An attacker needs no authentication or special privileges; the vulnerability can be exploited by sending a crafted HTTP request with malicious input in the order or orderby parameters. The attacker only needs to be able to reach the WordPress site running the vulnerable plugin version.
Impact
Successful exploitation allows an attacker to inject arbitrary SQL queries. This can lead to unauthorized access, modification, or deletion of database contents, potentially compromising the entire WordPress installation and exposing sensitive data.
Mitigation
The vulnerability is fixed in version 0.8.8.7 of the Advanced Custom Fields: Extended plugin [1]. Users should update to this version or later immediately. No workarounds are provided in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <0.8.8.7
Patches
1r2648200Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- plugins.trac.wordpress.org/changeset/2648200mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/055a2dcf-77ec-4e54-be7d-9c47f7730d1bmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.