Which Advanced Custom Fields (ACF®) CVEs are tracked?

Advanced Custom Fields (ACF®) tracked CVEs include CVE-2023-1196, CVE-2021-20865, CVE-2022-23183, CVE-2021-20866, and CVE-2023-6701.

How many Advanced Custom Fields (ACF®) vulnerabilities have patch guidance?

20 of 20 tracked Advanced Custom Fields (ACF®) records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 20 known issues Latest disclosed Apr 14, 2026

Advanced Custom Fields (ACF®) Vulnerabilities

Review known vulnerability records for the WordPress plugin Advanced Custom Fields (ACF®) (`advanced-custom-fields`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4812, CVE-2025-54940 and CVE-2024-49593, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 15, 2026

Related Security Guides

Use these guides while reviewing Advanced Custom Fields (ACF®) fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize Advanced Custom Fields (ACF®) remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is advanced-custom-fields before acting on any CVE from this cluster.

2. Sort by Severity

Start with 2 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

20 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2023-1196 High

Vulnerability remediation for Advanced Custom Fields (ACF®)

Affected range: Versions up to 5.12.4. Fixed version: 5.12.5.

CVE-2021-20865 High

Vulnerability remediation for Advanced Custom Fields (ACF®)

Affected range: Versions before 5.11. Fixed version: 5.11.

CVE-2022-23183 Medium

Authorization Bypass remediation for Advanced Custom Fields (ACF®)

Affected range: Versions before 5.12.1. Fixed version: 5.12.1.

CVE-2021-20866 Medium

Vulnerability remediation for Advanced Custom Fields (ACF®)

Affected range: Versions before 5.11. Fixed version: 5.11.

Priority CVE Quick Links

Fast paths into Advanced Custom Fields (ACF®) CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2023-1196 Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection	Vulnerability	Versions up to 5.12.4	5.12.5	CVSS 8.8
CVE-2021-20865 Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure	Vulnerability	Versions before 5.11	5.11	CVSS 7.5
CVE-2022-23183 Advanced Custom Fields <= 5.12 - Authenticated Information Disclosure	Authorization Bypass	Versions before 5.12.1	5.12.1	CVSS 6.5
CVE-2021-20866 Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure	Vulnerability	Versions before 5.11	5.11	CVSS 6.5
CVE-2023-6701 Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scr...	Stored Cross-Site Scripting	Versions up to 6.2.4	6.2.5	CVSS 6.4
CVE-2023-30777 Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected...	Cross-Site Scripting	5.8.10 through 5.12.5	5.12.6	CVSS 6.1
CVE-2020-36172 Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting	Cross-Site Scripting	Versions before 5.8.12	5.8.12	CVSS 6.1
CVE-2024-45429 Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting	Stored Cross-Site Scripting	Versions up to 6.3.5	6.3.6	CVSS 5.5

CVE-2023-1196 High 5.12.5

CVE-2023-1196 Advanced Custom Fields (ACF®) Vulnerability

Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection

CVE-2021-20865 High 5.11

CVE-2021-20865 Advanced Custom Fields (ACF®) Vulnerability

Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure

CVE-2022-23183 Medium 5.12.1

CVE-2022-23183 Advanced Custom Fields (ACF®) Authorization Bypass

Advanced Custom Fields <= 5.12 - Authenticated Information Disclosure

CVE-2021-20866 Medium 5.11

CVE-2021-20866 Advanced Custom Fields (ACF®) Vulnerability

Advanced Custom Fields <= 5.10 - Missing Authorization to Information Disclosure

CVE-2023-6701 Medium 6.2.5

CVE-2023-6701 Advanced Custom Fields (ACF®) Stored Cross-Site Scripting

Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

CVE-2023-30777 Medium 5.12.6

CVE-2023-30777 Advanced Custom Fields (ACF®) Cross-Site Scripting

Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status'

CVE-2020-36172 Medium 5.8.12

CVE-2020-36172 Advanced Custom Fields (ACF®) Cross-Site Scripting

Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting

CVE-2024-45429 Medium 6.3.6

CVE-2024-45429 Advanced Custom Fields (ACF®) Stored Cross-Site Scripting

Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Advanced Custom Fields (ACF®) so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

20 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2026-4812, CVE-2025-54940 and CVE-2024-49593

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-4812 Medium Patch path listed

CVE-2026-4812: Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX fiel...

Published

Apr 14, 2026

Patch Status

6.7.1

Review CVE-2026-4812 affected versions

CVE-2025-54940 Medium Patch path listed

CVE-2025-54940: Advanced Custom Fields <= 6.4.2. - HTML Injection

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 6.4.2. This is due to the plugin nor properly neutralizing unsafe...

Published

Aug 08, 2025

Patch Status

6.4.3

Review CVE-2025-54940 affected versions

CVE-2024-49593 Medium Patch path listed

CVE-2024-49593: Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting

The Advanced Custom Fields & Secure Custom Fields plugins for WordPress are vulnerable to Stored Cross-Site Scripting via ACF field labels in all versions up to, and including, 6.3.8 & 6.3.6...

Published

Oct 15, 2024

Patch Status

6.3.6.3

Review CVE-2024-49593 affected versions

Known Vulnerabilities

Reports for Advanced Custom Fields (ACF®)

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-4812

CVE-2026-4812: Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured...

Published

Apr 14, 2026

Patched Release

6.7.1

Affected Versions

Versions up to 6.7.0

Next Step

Update to 6.7.1 or newer if supported.

Review CVE-2026-4812 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-54940

CVE-2025-54940: Advanced Custom Fields <= 6.4.2. - HTML Injection

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 6.4.2. This is due to the plugin nor properly neutralizing unsafe HTML. This makes it possible for authenticated attackers, with administrator-level access...

Published

Aug 08, 2025

Patched Release

6.4.3

Affected Versions

Versions up to 6.4.2

Next Step

Update to 6.4.3 or newer if supported.

Review CVE-2025-54940 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-49593

CVE-2024-49593: Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 - Authenticated (Admin+) Stored Cross-Site Scripting

The Advanced Custom Fields & Secure Custom Fields plugins for WordPress are vulnerable to Stored Cross-Site Scripting via ACF field labels in all versions up to, and including, 6.3.8 & 6.3.6.2 respectively due to insufficient input sanitization and output escaping. This makes it...

Published

Oct 15, 2024

Patched Release

6.3.6.3

Affected Versions

Versions up to 6.3.6.2

Next Step

Update to 6.3.6.3 or newer if supported.

Review CVE-2024-49593 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9529

CVE-2024-9529: Advanced Custom Fields <= 6.3.8 - Authenticated (Admin+) Limited Arbitrary Function Call

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to limited arbitrary function calls via the 'register_meta_box_cb' and 'meta_box_cb' parameters in all versions up to, and including, 6.3.8 (excluding 6.3.6.2) due to insufficient input validation on those parame...

Published

Oct 07, 2024

Patched Release

6.3.6.3

Affected Versions

Versions up to 6.3.6.2

Next Step

Update to 6.3.6.3 or newer if supported.

Review CVE-2024-9529 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-45429

CVE-2024-45429: Advanced Custom Fields <= 6.3.5 - Authenticated Stored Cross-Site Scripting

The Advanced Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via field groups in all versions up to, and including, 6.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the 'capa...

Published

Sep 04, 2024

Patched Release

6.3.6

Affected Versions

Versions up to 6.3.5

Next Step

Update to 6.3.6 or newer if supported.

Review CVE-2024-45429 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4565

CVE-2024-4565: Advanced Custom Fields <= 6.2.10 - Authenticated (Contributor+) Arbitrary Custom Field Access

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to arbitrary custom field access in all versions up to, and including, 6.2.10. This is due to the plugin not properly restricting what post meta can be displayed through the plugin's shortcode. This makes it poss...

Published

May 30, 2024

Patched Release

6.3.0

Affected Versions

Versions up to 6.2.10

Next Step

Update to 6.3.0 or newer if supported.

Review CVE-2024-4565 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-6701

CVE-2023-6701: Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, w...

Published

Jan 17, 2024

Patched Release

6.2.5

Affected Versions

Versions up to 6.2.4

Next Step

Update to 6.2.5 or newer if supported.

Review CVE-2023-6701 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-40068

CVE-2023-40068: Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Advanced Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF post type and taxonomy labels in versions 6.1 to 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with adminis...

Published

Aug 03, 2023

Patched Release

6.1.8

Affected Versions

6.1 through 6.1.7

Next Step

Update to 6.1.8 or newer if supported.

Review CVE-2023-40068 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-30777

CVE-2023-30777: Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status'

The Advanced Custom Fields (free & PRO) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_status' parameter in versions 5.8.10 to 5.12.5 and versions 6.0.0 to 6.1.5 due to insufficient input sanitization and output escaping. This makes it possible...

Published

May 04, 2023

Patched Release

5.12.6

Affected Versions

5.8.10 through 5.12.5

Next Step

Update to 5.12.6 or newer if supported.

Review CVE-2023-30777 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2023-1196

CVE-2023-1196: Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection

The Advanced Custom Fields plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.0.7 via deserialization of untrusted input in custom field values. This makes it possible for authenticated attackers, with contributor-level permissions, and...

Published

Apr 03, 2023

Patched Release

5.12.5

Affected Versions

Versions up to 5.12.4

Next Step

Update to 5.12.5 or newer if supported.

Review CVE-2023-1196 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-40696

CVE-2022-40696: Advanced Custom Fields <= 6.0.2 - Authenticated (Contributor+) Information Disclosure

The Advanced Custom Fields plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 6.0.2. While the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, it may be possible with certain...

Published

Oct 18, 2022

Patched Release

6.0.3

Affected Versions

Versions up to 6.0.2

Next Step

Update to 6.0.3 or newer if supported.

Review CVE-2022-40696 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-2594

CVE-2022-2594: Advanced Custom Fields <= 5.12.2 - File Upload

The Advanced Custom Fields plugin for WordPress has a file upload vulnerability in versions up to, and including, 5.12.2. This allows users without the upload_files capability, such as contributors, or unauthenticated users in cases where a frontend form is added to the site, to...

Published

Jul 14, 2022

Patched Release

5.12.3

Affected Versions

Versions up to 5.12.2

Next Step

Update to 5.12.3 or newer if supported.

Review CVE-2022-2594 fixed version details Open CVE Reference