The WordPress plugin “Advanced Custom Fields” (ACF), maintained by WPEngine, Inc., was recently subject to a significant security vulnerability involving HTML injection. This flaw affected all versions of the plugin prior to 6.4.3 and has since been addressed by a security update.
Vulnerability Overview
The HTML injection vulnerability permitted malicious HTML to be injected and subsequently rendered within various administrative interface components, such as field group labels, post titles, and Select2 elements. In practice, this meant that an attacker with admin-level privileges could create or modify field definitions containing harmful HTML, potentially impacting the display or functionality of the WordPress backend.
Risk Assessment
The severity scores assigned to this vulnerability indicate a low to medium risk:
- CVSS 4.0: 4.6 (medium)
- CVSS 3.0: 3.4 (low)
While exploitation required privileged access to the WordPress admin dashboard, the injected content could interfere with page rendering and disrupt normal administrative processes. There was no direct threat to general website visitors, but if the backend was manipulated, further attacks could potentially be staged.
