Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities found for Advanced Custom Fields by WPEngine, Inc.

    CVE-2025-54940 (GCVE-0-2025-54940)

    Vulnerability from nvd – Published: 2025-08-08 04:34 – Updated: 2025-08-08 16:11
    VLAI
    Summary
    An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T16:11:01.929075Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T16:11:14.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Advanced Custom Fields",
              "vendor": "WPEngine, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An HTML injection vulnerability exists in WordPress plugin \"Advanced Custom Fields\" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code injection",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-08T04:34:02.380Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN21048820/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-54940",
        "datePublished": "2025-08-08T04:34:02.380Z",
        "dateReserved": "2025-08-01T05:50:41.871Z",
        "dateUpdated": "2025-08-08T16:11:14.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54940 (GCVE-0-2025-54940)

    Vulnerability from cvelistv5 – Published: 2025-08-08 04:34 – Updated: 2025-08-08 16:11
    VLAI
    Summary
    An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-08T16:11:01.929075Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-08T16:11:14.551Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Advanced Custom Fields",
              "vendor": "WPEngine, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An HTML injection vulnerability exists in WordPress plugin \"Advanced Custom Fields\" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code injection",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-08T04:34:02.380Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN21048820/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-54940",
        "datePublished": "2025-08-08T04:34:02.380Z",
        "dateReserved": "2025-08-01T05:50:41.871Z",
        "dateUpdated": "2025-08-08T16:11:14.551Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }