Search criteria
3 vulnerabilities by WPEngine, Inc.
CVE-2025-54940 (GCVE-0-2025-54940)
Vulnerability from cvelistv5 – Published: 2025-08-08 04:34 – Updated: 2025-08-08 16:11
VLAI?
Summary
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
Severity ?
CWE
- CWE-94 - Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPEngine, Inc. | Advanced Custom Fields |
Affected:
prior to 6.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T16:11:01.929075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T16:11:14.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields",
"vendor": "WPEngine, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to 6.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in WordPress plugin \"Advanced Custom Fields\" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code injection",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T04:34:02.380Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN21048820/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-54940",
"datePublished": "2025-08-08T04:34:02.380Z",
"dateReserved": "2025-08-01T05:50:41.871Z",
"dateUpdated": "2025-08-08T16:11:14.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37251 (GCVE-0-2024-37251)
Vulnerability from cvelistv5 – Published: 2024-12-16 15:03 – Updated: 2024-12-16 16:34
VLAI?
Title
WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n/a before 6.3.2.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPENGINE, INC. | Advanced Custom Fields PRO |
Affected:
n/a , < 6.3.2
(custom)
|
Credits
Rafie Muhammad (Patchstack)
Advanced Custom Fields PRO security team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:34:35.673531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:34:56.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields PRO",
"vendor": "WPENGINE, INC.",
"versions": [
{
"changes": [
{
"at": "6.3.2",
"status": "unaffected"
}
],
"lessThan": "6.3.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Advanced Custom Fields PRO security team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.\u003cp\u003eThis issue affects Advanced Custom Fields PRO: from n/a before 6.3.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n/a before 6.3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T15:03:38.797Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/wordpress/plugin/advanced-custom-fields-pro/vulnerability/wordpress-advanced-custom-fields-pro-plugin-6-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;6.3.2 or a higher version."
}
],
"value": "Update to\u00a06.3.2 or a higher version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "WordPress Advanced Custom Fields Pro plugin \u003c 6.3.2 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37251",
"datePublished": "2024-12-16T15:03:38.797Z",
"dateReserved": "2024-06-04T16:46:44.985Z",
"dateUpdated": "2024-12-16T16:34:56.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30225 (GCVE-0-2024-30225)
Vulnerability from cvelistv5 – Published: 2024-03-28 05:00 – Updated: 2024-08-02 01:25
VLAI?
Title
WordPress WP Migrate plugin <= 2.6.10 - Unauthenticated PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.
Severity ?
10 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPENGINE, INC. | WP Migrate |
Affected:
n/a , ≤ 2.6.10
(custom)
|
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpengine:wp_migrate:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wp_migrate",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "2.6.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:23:31.344901Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:24:25.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:25:03.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-migrate-db-pro/wordpress-wp-migrate-plugin-2-6-10-unauthenticated-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Migrate",
"vendor": "WPENGINE, INC.",
"versions": [
{
"changes": [
{
"at": "2.6.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.6.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.\u003cp\u003eThis issue affects WP Migrate: from n/a through 2.6.10.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T05:00:37.289Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-migrate-db-pro/wordpress-wp-migrate-plugin-2-6-10-unauthenticated-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.6.11 or a higher version."
}
],
"value": "Update to 2.6.11 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Migrate plugin \u003c= 2.6.10 - Unauthenticated PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30225",
"datePublished": "2024-03-28T05:00:37.289Z",
"dateReserved": "2024-03-26T09:10:28.520Z",
"dateUpdated": "2024-08-02T01:25:03.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}