Published:2025/08/08 Last Updated:2025/08/08
JVN#21048820
WordPress plugin "Advanced Custom Fields" vulnerable to HTML injection
Overview
WordPress plugin "Advanced Custom Fields" provided by WPEngine, Inc. contains an HTML injection vulnerability.
Products Affected
- Advanced Custom Fields versions prior to 6.4.3
Description
Advanced Custom Fields provided by WPEngine, Inc. contains the following vulnerability.
- HTML injection (CWE-94)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N Base Score 4.6
- CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N Base Score 3.4
- CVE-2025-54940
Impact
Crafted HTML code may be rendered and page display may be tampered.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| WPEngine, Inc. | ACF 6.4.3 Security Release |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shogo Kumamaru of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-54940 |
| JVN iPedia |
JVNDB-2025-000058 |