Advanced Custom Fields: Table Field

Use with caution

Last revised: July 13, 2016

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can

This recommendation applies to version 1.1.12 of this plugin, but the most recent version is 1.3.26. These findings may no longer be correct.

Findings

Does not escape content correctly.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Does not escape content before outputting it meaning that a less privileged user can inject JavaScript into a field and it will be executed by any other users that visit the page the field is on. See advisory.

Failure criteria

Lack of proper output escaping

dxw advisories

Plugin inspection: