WordPress Plugin Vulnerabilities

Advanced Custom Fields < 6.4.3 - HTML Injection

Description

The plugin is vulnerable to HTML Injection due to the plugin nor properly neutralizing unsafe HTML. This makes it possible for authenticated attackers, with administrator-level access and above, to inject potentially malicious HTML.

Affects Plugins

Plugin icon
advanced-custom-fields
Fixed in 6.4.3

References

CVE
CVE-2025-54940
URL
https://jvn.jp/en/jp/JVN21048820/

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Shogo Kumamaru
Verified
No
WPVDB ID
6599abf6-dd14-4cc0-b7f2-2dc606b92a7b

Timeline

Publicly Published
2025-08-08 (about 9 months ago)
Added
2025-08-26 (about 8 months ago)
Last Updated
2025-08-26 (about 8 months ago)

Other

Published
Title
Published
2021-09-23
Title
Ark Comment Editor <= 2.15.6 - Iframe Injection via Comment
Published
2022-11-29
Title
Quiz and Survey Master < 8.0.5 - Improper Input Validation
Published
2025-11-21
Title
Subscriptions & Memberships for PayPal < 1.1.8 - Unauthenticated Fake Payment Creation
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Content Injection
Published
2024-06-27
Title
WooCommerce < 9.0.0 - Shop Manager+ Content Injection