Filtered by vendor Advancedcustomfields
Subscriptions
Filtered by product Advanced Custom Fields
Subscriptions
Total
13 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-6701 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-02-09 | 5.4 Medium |
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2022-40696 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-01-11 | 7.5 High |
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through 6.0.2. | ||||
CVE-2023-1196 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2023-11-07 | 8.8 High |
The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. | ||||
CVE-2023-40068 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2023-08-25 | 5.4 Medium |
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege. | ||||
CVE-2023-30777 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2023-05-17 | 6.1 Medium |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions. | ||||
CVE-2022-2594 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2022-08-23 | 8.8 High |
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. | ||||
CVE-2022-23183 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2022-04-07 | 6.5 Medium |
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission. | ||||
CVE-2021-20867 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-12-15 | 6.5 Medium |
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors. | ||||
CVE-2021-20866 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-12-15 | 6.5 Medium |
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors. | ||||
CVE-2021-20865 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-12-15 | 7.5 High |
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors. | ||||
CVE-2021-24241 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-04-29 | 6.1 Medium |
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. | ||||
CVE-2020-36172 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2021-01-08 | 6.1 Medium |
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. | ||||
CVE-2018-20986 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2019-08-27 | N/A |
The advanced-custom-fields (aka Elliot Condon Advanced Custom Fields) plugin before 5.7.8 for WordPress has XSS by authors. |
Page 1 of 1.