cbcvebase.

Hwk-Fr Advanced Custom Fields Extended vulnerabilities

5 known vulnerabilities affecting hwk-fr/advanced_custom_fields_extended.

Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-13486P1CRITICALCVSS 9.8ExploitedPoC≥ 0.9.0.5, ≤ 0.9.1.12025-12-03
CVE-2025-13486 [CRITICAL] CWE-94 CVE-2025-13486: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on
nvd
CVE-2026-8809P2CRITICALCVSS 9.8≤ 0.9.2.52026-05-28
CVE-2026-8809 [CRITICAL] CWE-269 CVE-2026-8809: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity ve
nvd
CVE-2025-14533P2CRITICALCVSS 9.8≤ 0.9.2.12026-01-20
CVE-2025-14533 [CRITICAL] CWE-269 CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in a The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registratio
nvd
CVE-2025-15463P3MEDIUMCVSS 6.5≤ 0.9.2.32026-05-12
CVE-2025-15463 [MEDIUM] CWE-94 CVE-2025-15463: The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode e The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute
nvd
CVE-2023-5292P4MEDIUMCVSS 5.4≤ 0.8.9.32023-10-20
CVE-2023-5292 [MEDIUM] CWE-79 CVE-2023-5292: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripti The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permiss
nvd
Hwk-Fr Advanced Custom Fields Extended vulnerabilities | cvebase