Vulnerabilities and security researches foradvanced-custom-fields-table-field advanced-custom-fields-table-field

Jan 27, 2026

CVE, Research URL: CVE-2025-12067
Home page URL: Security reports for Advanced Custom Fields: Table Field
Application: Advanced Custom Fields: Table Field
Date: Jan 06, 2026
Research Description: The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.3.31.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: a4db1680-e0ac-425e-90bf-306bb65b921f
Home page URL: Security reports for Advanced Custom Fields: Table Field
Application: Advanced Custom Fields: Table Field
Date: -
Research Description: Table Field Add-on for ACF and SCF [advanced-custom-fields-table-field] < 1.1.13 Advanced Custom Fields: Table Field <= 1.1.12 - Stored Cross-Site Scripting (XSS) The Advanced Custom Fields: Table Field WordPress plugin was affected by a Stored Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 1.1.13.
Status: vulnerable