WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Acf Extended safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Acf Extended WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: acf-extended
  • Requires PHP: 5.6+
  • Max supported PHP (analyzed): <8.0

Known vulnerabilities

  • Advanced Custom Fields: Extended [acf-extended] < 0.8.8.7 [CVE-2021-24865, WordPress Advanced Custom Fields: Extended plugin <= 0.8.8.6 - SQL Injection (SQLi) vulnerability, Advanced Custom Fields: Extended &lt; 0.8.8.7 - Admin+ SQL Injection, Advanced Custom Fields: Extended <= 0.8.8.6 - Admin+ SQL Injection]
  • Advanced Custom Fields: Extended [acf-extended] < 0.8.9.4 [CVE-2023-5292, Advanced Custom Fields: Extended <= 0.8.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode, WordPress Advanced Custom Fields: Extended Plugin <= 0.8.9.3 is vulnerable to Cross Site Scripting (XSS), Advanced Custom Fields: Extended &lt; 0.8.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]
  • Advanced Custom Fields: Extended [acf-extended] < 0.9.2 [CVE-2025-13486, Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form]
  • Advanced Custom Fields: Extended [acf-extended] < 0.9.2.2 [CVE-2025-14533, Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action]
  • Advanced Custom Fields: Extended [acf-extended] < 0.9.2.4 [CVE-2025-15463, WordPress ACF Extended Plugin <= 0.9.2.3 is vulnerable to a medium priority Content Injection, Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution, EUVD-2025-209809]
+ 1 more known vulnerability
  • Advanced Custom Fields: Extended [acf-extended] < 0.9.2.6 [CVE-2026-8809, Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.