Advanced_custom_fields - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Advanced_custom_fields
(Advancedcustomfields)

Repositories	Unknown: This might be proprietary software.
#Vulnerabilities	15

Date	Id	Summary	Products	Score	Patch	Annotated
2024-11-15	CVE-2024-9529	The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.	Advanced_custom_fields	N/A
2023-05-02	CVE-2023-1196	The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.	Advanced_custom_fields	8.8
2021-01-06	CVE-2020-36172	The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS.	Advanced_custom_fields	6.1
2021-04-22	CVE-2021-24241	The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.	Advanced_custom_fields	6.1
2021-12-13	CVE-2021-20865	Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors.	Advanced_custom_fields	7.5
2021-12-13	CVE-2021-20866	Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors.	Advanced_custom_fields	6.5
2021-12-13	CVE-2021-20867	Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.	Advanced_custom_fields	6.5
2022-03-31	CVE-2022-23183	Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.	Advanced_custom_fields	6.5
2022-08-22	CVE-2022-2594	The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.	Advanced_custom_fields	8.8
2023-05-10	CVE-2023-30777	Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.	Advanced_custom_fields	6.1