Published:2025/08/08  Last Updated:2025/08/08

JVN#21048820
WordPress plugin "Advanced Custom Fields" vulnerable to HTML injection

Overview

WordPress plugin "Advanced Custom Fields" provided by WPEngine, Inc. contains an HTML injection vulnerability.

Products Affected

  • Advanced Custom Fields versions prior to 6.4.3

Description

Advanced Custom Fields provided by WPEngine, Inc. contains the following vulnerability.

  • HTML injection (CWE-94)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Base Score 4.6
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N Base Score 3.4
    • CVE-2025-54940

Impact

Crafted HTML code may be rendered and page display may be tampered.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
WPEngine, Inc. ACF 6.4.3 Security Release

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Shogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-54940
JVN iPedia JVNDB-2025-000058