Advanced Custom Fields
WP Engine
Developer
6.6.2
Latest version
2,000,000
Installations
Oct 29, 2025
Last updated
Vulnerability history
0 present
20 fixed
5 Mitigation rules
- Remote Code Execution via Remote File Inclusion vulnerability<= 3.5.1Aug 5, 2025
- Authenticated (Admin+) Stored Cross-Site Scripting vulnerability<= 6.3.6.2Oct 16, 2024
- Administrator+ Limited Arbitrary Function Call vulnerability<= 6.3.6Oct 7, 2024
- Missing Authorization to Information Disclosure vulnerability< 5.11Oct 4, 2024
- Missing Authorization to Information Disclosure vulnerability< 5.11Oct 4, 2024
- Missing Authorization on Option Changes vulnerability< 5.11Oct 4, 2024
- Auth. Custom Field Access< 6.3Jun 3, 2024
- Contributor+ Stored Cross-Site Scripting vulnerability< 6.2.5Jan 16, 2024
- Authenticated Stored Cross-Site Scripting vulnerability6.1-6.1.7Aug 3, 2023
- Reflected Cross Site Scripting (XSS) vulnerability5.8.10-5.12.5May 5, 2023
- Contributor+ PHP Object Injection vulnerability< 5.12.5May 2, 2023
- Authenticated (Contributor+) PHP Object Injection vulnerability<= 6.0.7Apr 4, 2023
- WordPress Advanced Custom Fields plugin 3.1.1 - 6.0.2 - Custom Field Value Exposure vulnerability3.1.1-6.0.2Oct 18, 2022
- Unauthenticated File Upload vulnerability<= 5.12.2Aug 1, 2022
- Database Information Access vulnerability<= 5.12Mar 30, 2022
- Arbitrary ACF Data/Field Groups View and Fields Move vulnerability<= 5.9.9Aug 25, 2021
- Cross-Site Scripting (XSS) vulnerability<= 5.8.11Jun 21, 2020
- Authenticated Cross-Site Scripting (XSS) vulnerability<= 5.7.7Dec 10, 2018
- Stored Cross Site Scripting<= 1.1.12Aug 8, 2016
- Remote File Inclusion<= 3.5.1Jan 3, 2013