Secure Custom Fields < 6.3.6.3 – Admin+ Stored XSS | CVE 2024-49593 | Plugin Vulnerabilities

Description

The Advanced Custom Fields & Secure Custom Fields plugins for WordPress are vulnerable to Stored Cross-Site Scripting via ACF field labels in all versions up to, and including, 6.3.8 & 6.3.6.2 respectively due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

advanced-custom-fields

Fixed in 6.3.9

advanced-custom-fields

Fixed in 6.3.6.3

advanced-custom-fields-pro

Fixed in 6.3.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-custom-fields/advanced-custom-fields-638-secure-custom-fields-6362-authenticated-admin-stored-cross-site-scripting

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Duc Luong Tran

Verified

No

WPVDB ID

9291ad3e-3618-4dbc-ae86-698e7c4d4182

Timeline

Publicly Published

2024-10-15 (about 1 year ago)

Added

2024-10-17 (about 1 year ago)

Last Updated

2024-10-18 (about 1 year ago)

Other

Published

Title

Published

2025-08-27

Title

Beaver Builder Plugin (Lite Version) < 2.9.3.1 - Reflected Cross-Site Scripting

Published

2024-05-06

Title

AWSOM News Announcement <= 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-14

Title

WP ULike < 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-09-01

Title

WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS

Published

2023-05-22

Title

qubotchat < 1.1.6 - Unauthenticated Stored XSS