Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Medium Single Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


This plugin allows users (who have permission to edit posts) to inject JavaScript into pages within /wp-admin/. This means a user can exceed their privileges by creating a script that causes an admin’s browser to perform an action, such as creating a new admin user, deleting all posts, etc.

Proof of concept

  1. Add a new ACF field group
  2. Add a new table-type field to that field group
  3. Create a new post/page, wherever the field group is set to display
  4. Enter “<script>alert(1)</script>” into a field and save the post
  5. Visit the page again, and the injected JavaScript will be executed

Tested with ACF PRO v5. Not tested with v4.

Mitigation/further actions

Update to version 1.1.13 or later.