Advanced Custom Fields Extended
by WordPress
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-13486 | Cri | 0.66 | 9.8 | 0.74 | Dec 3, 2025 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes… | ||
| CVE-2025-14533 | Cri | 0.64 | 9.8 | 0.01 | Jan 20, 2026 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for… | ||
| CVE-2026-8809 | Cri | 0.57 | 9.8 | 0.01 | May 28, 2026 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the… | ||
| CVE-2021-24865 | Hig | 0.40 | 7.2 | 0.01 | Jan 24, 2022 | The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue | ||
| CVE-2023-5292 | Med | 0.35 | 6.4 | 0.00 | Oct 20, 2023 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it… |
- risk 0.66cvss 9.8epss 0.74
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes…
- risk 0.64cvss 9.8epss 0.01
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for…
- risk 0.57cvss 9.8epss 0.01
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the…
- risk 0.40cvss 7.2epss 0.01
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue
- risk 0.35cvss 6.4epss 0.00
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…