The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
https://example.com/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>
Juan David Ordoñez Noriega
Juan David Ordoñez Noriega
Yes
2021-01-20 (about 1 years ago)
2021-04-02 (about 1 years ago)
2021-06-09 (about 1 years ago)