WordPress Plugin Vulnerabilities

Table Field Add-on for ACF and SCF < 1.3.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content

Description

The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
advanced-custom-fields-table-field
Fixed in 1.3.31

References

CVE
CVE-2025-12067
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93f80716-a95b-49fc-805f-446d4723ca77

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
shark3y
Verified
No
WPVDB ID
ce2adaf8-d02e-49a7-a1ca-c7fcd9cb7414

Timeline

Publicly Published
2026-01-05 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-01-06 (about 4 months ago)

Other

Published
Title
Published
2025-01-06
Title
WP jQuery DataTable < 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-04
Title
LA-Studio Element Kit for Elementor < 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-20
Title
FAQ Builder AYS < 1.8.3 - Unauthenticated Stored Cross-Site Scripting
Published
2020-07-29
Title
Reality < 2.5.6 - Multiple Reflected Cross-Site Scripting (XSS)
Published
2025-04-02
Title
Contact Form vCard Generator <= 2.4 - Unauthenticated Stored Cross-Site Scripting