Custom fields unlock a lot of power in WordPress, but they also expand the attack surface because they sit directly on the boundary between admin-side content modeling and front-end rendering. Field values can end up inside templates, blocks, REST responses, and admin UIs, which means weaknesses here frequently translate into stored XSS, unauthorized data exposure, or integrity issues. Advanced Custom Fields (ACF®) version 6.7.0 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64613, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for content modeling plugins.
| Name of | Advanced Custom Fields (ACF®) |
| Version | 6.7.0 |
| Active installations | 2+ million |
| Description | Advanced Custom Fields (ACF®) turns WordPress sites into a fully-fledged content management system by giving you all the tools to do more with your data. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Use ACF to extend content editing with confidence backed by the “Plugin Security Certification” (PSC). Always verify the latest plugin details and keep WordPress core and dependent components up to date. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
Advanced Custom Fields (ACF®) provides a structured way to model content in WordPress by defining field groups and attaching them to posts, pages, users, taxonomy terms, media, comments, and options pages. It offers a broad catalog of field types and a user-friendly field builder that integrates cleanly into the native editor experience. For developers, ACF exposes well-known template functions and APIs that make it straightforward to retrieve and render field values, while also supporting modern WordPress workflows like block-based editing (via ACF Blocks features) and content modeling elements such as registering custom post types and taxonomies from the UI. These capabilities matter for security because they touch multiple sensitive surfaces: wp-admin configuration screens, meta storage, render pipelines, and optionally API exposure paths where data can move between trusted and untrusted contexts.
Security Assurance
The CleanTalk Plugin Security Certification evaluation focuses on defensive coding and safe behavior under realistic attacker models for content modeling plugins. With custom fields, the common abuse patterns are predictable: attackers try to inject JavaScript into values that get rendered by themes or blocks (stored XSS), bypass capability checks to modify field groups or write data into sensitive objects, abuse AJAX or REST-style endpoints to read or change content they should not access, and exploit weak nonce enforcement to perform CSRF against administrators. The review validates that administrative features are protected by appropriate roles and capability checks (not just menu visibility), that state-changing actions implement nonce validation, and that field values and configuration data are treated safely across storage, retrieval, and output contexts. Because field values often end up inside HTML attributes, block markup, and admin previews, particular attention is paid to output encoding, safe rendering defaults, and preventing “configuration-as-code” patterns from becoming injection paths.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64613, Advanced Custom Fields (ACF®) version 6.7.0 demonstrates strong baseline security for the workflows that matter most in custom field frameworks: defining and managing field groups in wp-admin, storing and retrieving metadata safely, and minimizing injection and access-control risks across rendering and integration surfaces. This certification helps site owners and development teams reduce risk when extending WordPress into richer content models by choosing a solution that has been checked against common WordPress vulnerability classes. As a best practice, restrict who can manage field groups and options pages, review how field values are rendered in templates (especially inside attributes), and keep a clear policy for exposing custom field data via APIs or headless front ends.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.