Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can


Last revised:

This plugin allows users (who have permission to edit posts) to inject JavaScript into pages within /wp-admin/. This means a user can exceed their privileges by creating a script that causes an admin’s browser to perform an action, such as creating a new admin user, deleting all posts, etc.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4.9 Medium
Vector Network
Complexity Medium
Authentication Single
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Add a new ACF field group
  2. Add a new table-type field to that field group
  3. Create a new post/page, wherever the field group is set to display
  4. Enter “<script>alert(1)</script>” into a field and save the post
  5. Visit the page again, and the injected JavaScript will be executed

Tested with ACF PRO v5. Not tested with v4.

Advisory timeline

  • 2016-07-13: Discovered
  • 2016-07-13: Reported to vendor by email
  • 2016-07-13: Requested CVE
  • 2016-07-13: Vendor’s autoresponder said they were unavailable until 1st August
  • 2016-08-01: Vendor reported they were working on a fix
  • 2016-08-01: Vendor reported issue fixed in 1.1.13
  • 2016-08-08: Advisory published

Mitigation/further actions

Update to version 1.1.13 or later.