Plugin inspection:

Advanced Custom Fields PRO

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


  • At over 20,000 lines of code, this is a large plugin and so we’re unable to inspect it as thoroughly as a smaller plugin
  • When creating fields, users are able to insert arbitrary HTML into field instructions (including JavaScript). The plugin does not check for the unfiltered_html capability so users normally unable to insert arbitrary HTML into the site may be able to bypass this restriction depending on their role and capabilities
  • This plugin checks for updates and sends some information back to the plugin author’s site. This is unavoidable for any plugins not hosted on But note that in addition to the necessary information, it also sends the name of the site, the languages installed on the site, and the timezone. (The URL to the site and the WordPress version are also sent, but this is already available via the User-Agent header which WordPress sets on all requests)
  • There’s a function called acf_esc_html() which replaces <script and </script with &lt;script and &lt;/script, respectively. But it makes no attempt to replace other methods of inserting JavaScript. It’s unclear what the purpose of this function is, as it’s only used to escape a few field values (i.e. the prepend and append values for a text field)
  • No other issues found

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • Allows users without the unfiltered_html capability to insert arbitrary HTML

Failure criteria

  • Lack of input sanitisation
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.