Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Advanced Custom Fields by WPEngine, Inc.
CVE-2025-54940 (GCVE-0-2025-54940)
Vulnerability from nvd – Published: 2025-08-08 04:34 – Updated: 2025-08-08 16:11
VLAI?
Summary
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
Severity ?
CWE
- CWE-94 - Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPEngine, Inc. | Advanced Custom Fields |
Affected:
prior to 6.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T16:11:01.929075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T16:11:14.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields",
"vendor": "WPEngine, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to 6.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in WordPress plugin \"Advanced Custom Fields\" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code injection",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T04:34:02.380Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN21048820/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-54940",
"datePublished": "2025-08-08T04:34:02.380Z",
"dateReserved": "2025-08-01T05:50:41.871Z",
"dateUpdated": "2025-08-08T16:11:14.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54940 (GCVE-0-2025-54940)
Vulnerability from cvelistv5 – Published: 2025-08-08 04:34 – Updated: 2025-08-08 16:11
VLAI?
Summary
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
Severity ?
CWE
- CWE-94 - Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPEngine, Inc. | Advanced Custom Fields |
Affected:
prior to 6.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T16:11:01.929075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T16:11:14.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields",
"vendor": "WPEngine, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to 6.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An HTML injection vulnerability exists in WordPress plugin \"Advanced Custom Fields\" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code injection",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T04:34:02.380Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.advancedcustomfields.com/blog/acf-6-4-3-security-release/"
},
{
"url": "https://jvn.jp/en/jp/JVN21048820/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-54940",
"datePublished": "2025-08-08T04:34:02.380Z",
"dateReserved": "2025-08-01T05:50:41.871Z",
"dateUpdated": "2025-08-08T16:11:14.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}