← back
CVE-2024-49593

CVE-2024-49593

CVSS 5.3 MEDIUMEPSS 0.5%CWE-79
In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wordpress.org/plugins/advanced-custom-fields/#developershttps://www.advancedcustomfields.com/blog/installing-and-upgrading-to-the-latest-version-of-acf/https://www.advancedcustomfields.com/changelog/https://x.com/wp_acf/status/1845190372764401908