PLUGIN SECURITY
Is Advanced Custom Fields safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Advanced Custom Fields WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
advanced-custom-fields - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.11 [CVE-2021-20865, Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields", Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure, WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control, WordPress Advanced Custom Fields PRO Plugin < 5.11 is vulnerable to Broken Access Control, EUVD-2021-8274]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.11 [CVE-2021-20866, Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields", Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure, WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control, WordPress Advanced Custom Fields PRO Plugin < 5.11 is vulnerable to Broken Access Control, EUVD-2021-8275]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.12.1 [CVE-2021-20867, Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields", Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move, Advanced Custom Fields <= 5.10 - Missing Authorization on Option Changes, WordPress Advanced Custom Fields Plugin < 5.11 is vulnerable to Broken Access Control, EUVD-2021-8276]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.8.12 [CVE-2020-36172, WordPress Advanced Custom Fields plugin <= 5.8.11 - Cross-Site Scripting (XSS) vulnerability, Advanced Custom Fields < 5.8.12 - Cross-Site Scripting in Select2 dropdowns, Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.7.8 [CVE-2018-20986, Advanced Custom Fields <= 5.7.7 - Authenticated Cross-Site Scripting (XSS), Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting]
+ 33 more known vulnerabilities
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.12.1 [CVE-2022-23183, WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization, WordPress Advanced Custom Fields plugin <= 5.12 - Database Information Access vulnerability, Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access, Advanced Custom Fields <= 5.12 - Authenticated Information Disclosure]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.10 [WordPress Advanced Custom Fields plugin <= 5.9.9 - Arbitrary ACF Data/Field Groups View and Fields Move vulnerability]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.7.8 [WordPress Advanced Custom Fields plugin <= 5.7.7 - Authenticated Cross-Site Scripting (XSS) vulnerability]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 1.1.13 [WordPress Advanced Custom Fields Plugin <= 1.1.12 - Stored Cross Site Scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 3.5.2 [WordPress Advanced Custom Fields Plugin - Remote File Inclusion]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.12.3 [CVE-2022-2594, WordPress Advanced Custom Fields plugin <= 5.12.2 - Unauthenticated File Upload vulnerability, Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload, Advanced Custom Fields <= 5.12.2 - File Upload]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.7.12 [Advanced Custom Fields <= 5.7.10 - Unserialize of user input]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 3.5.2 [Advanced Custom Fields <= 3.5.1 - Remote File Inclusion]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] >= 3.1.1 - <= 6.0.2 [CVE-2022-40696, WordPress Advanced Custom Fields plugin 3.1.1 - 6.0.2 - Custom Field Value Exposure vulnerability, Advanced Custom Fields <= 6.0.2 - Authenticated (Contributor+) Information Disclosure]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.7.12 [Advanced Custom Fields <= 5.7.11 - PHP Object Injection]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 3.5.2 [Advanced Custom Fields <= 3.5.1 - Remote Code Execution via Remote File Inclusion]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.12.5 [WordPress Advanced Custom Fields Plugin <= 6.0.7 is vulnerable to PHP Object Injection]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 5.12.5 [CVE-2023-1196, WordPress Advanced Custom Fields PRO Plugin < 6.1.0 is vulnerable to PHP Object Injection, WordPress Advanced Custom Fields Plugin < 5.12.5 is vulnerable to PHP Object Injection, Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection, Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection, Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.1.6 [Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status']
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.1.8 [Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.1.8 [WordPress Advanced Custom Fields Plugin <= 6.1.7 is vulnerable to Cross Site Scripting (XSS)]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.1.6 [CVE-2023-30777, Advanced Custom Fields < 6.1.6 - Reflected XSS]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] >= 6.1.0 - <= 6.1.7 [CVE-2023-40068, WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.2.5 [CVE-2023-6701, Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field, Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.2.5 [WordPress Advanced Custom Fields Plugin < 6.2.5 is vulnerable to Cross Site Scripting (XSS)]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.0 [CVE-2024-4565, WordPress Advanced Custom Fields Plugin < 6.3 is vulnerable to Sensitive Data Exposure, WordPress Advanced Custom Fields PRO Plugin < 6.3 is vulnerable to Sensitive Data Exposure, Advanced Custom Fields <= 6.2.10 - Authenticated (Contributor+) Arbitrary Custom Field Access]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.6 [CVE-2024-45429, WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting, Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.8 [CVE-2024-9529, WordPress Advanced Custom Fields Plugin <= 6.3.7 is vulnerable to Arbitrary Code Execution, WordPress Advanced Custom Fields PRO Plugin <= 6.3.7 is vulnerable to Arbitrary Code Execution]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.8 [Advanced Custom Fields <= 6.3.8 - Authenticated (Admin+) Limited Arbitrary Function Call]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.9 [CVE-2024-49593]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.9 [Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.3.9 [WordPress Advanced Custom Fields Plugin <= 6.3.6.2 is vulnerable to Cross Site Scripting (XSS)]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 3.5.2 [CVE-2012-10025, EUVD-2012-6571]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 3.5.2 [WordPress Advanced Custom Fields Plugin <= 3.5.1 is vulnerable to Remote Code Execution (RCE)]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.4.3 [CVE-2025-54940, Advanced Custom Fields <= 6.4.2. - HTML Injection, EUVD-2025-23979, WordPress plugin "Advanced Custom Fields" vulnerable to HTML injection]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.7.1 [CVE-2026-4812, Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters, EUVD-2026-22828]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.8.2 [CVE-2026-8382, Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters, EUVD-2026-33483]
- Advanced Custom Fields (ACF®) [advanced-custom-fields] < 6.8.2 [Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Meta Box — 500000+ active installs — max PHP 8.4
- Checkout Field Editor (Checkout Manager) for WooCommerce — 400000+ active installs — max PHP 8.4
- ACF Content Analysis for Yoast SEO — 100000+ active installs — max PHP 8.4
- Advanced Custom Fields: Extended — 100000+ active installs — max PHP <8.0
- Admin Columns — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.