• At over 20,000 lines of code, this is a large plugin and so we’re unable to inspect it as thoroughly as a smaller plugin
• When creating fields, users are able to insert arbitrary HTML into field instructions (including JavaScript). The plugin does not check for the unfiltered_html capability so users normally unable to insert arbitrary HTML into the site may be able to bypass this restriction depending on their role and capabilities
• This plugin checks for updates and sends some information back to the plugin author’s site. This is unavoidable for any plugins not hosted on wordpress.org. But note that in addition to the necessary information, it also sends the name of the site, the languages installed on the site, and the timezone. (The URL to the site and the WordPress version are also sent, but this is already available via the User-Agent header which WordPress sets on all requests)
• There’s a function called acf_esc_html() which replaces <script and </script with &lt;script and &lt;/script, respectively. But it makes no attempt to replace other methods of inserting JavaScript. It’s unclear what the purpose of this function is, as it’s only used to escape a few field values (i.e. the prepend and append values for a text field)
• No other issues found

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

• Allows users without the unfiltered_html capability to insert arbitrary HTML