Vulnerabilities > Advancedcustomfields

DATE CVE VULNERABILITY TITLE RISK
2021-12-13 CVE-2021-20867 Missing Authorization vulnerability in Advancedcustomfields Advanced Custom Fields
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.
network
low complexity
advancedcustomfields CWE-862
6.5
2021-04-22 CVE-2021-24241 Unspecified vulnerability in Advancedcustomfields Advanced Custom Fields 5.8.13/5.8.14/5.9.0
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
network
low complexity
advancedcustomfields
6.1
2021-01-06 CVE-2020-36172 Cross-site Scripting vulnerability in Advancedcustomfields Advanced Custom Fields
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS.
network
low complexity
advancedcustomfields CWE-79
6.1
2019-10-10 CVE-2015-9479 Unrestricted Upload of File with Dangerous Type vulnerability in Advancedcustomfields ACF Fronted Display
The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.
network
low complexity
advancedcustomfields CWE-434
critical
9.8
2019-08-22 CVE-2018-20986 Cross-site Scripting vulnerability in Advancedcustomfields Advanced Custom Fields
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors.
network
low complexity
advancedcustomfields CWE-79
5.4