cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields (ACF), PSC-2026-64613

PSC, Research URL

PSC-2026-64613

Home page URL

Security reports for Advanced Custom Fields (ACF)

Application

Advanced Custom Fields (ACF)

Published on
Feb 23, 2026
Research Description
Custom fields unlock a lot of power in WordPress, but they also expand the attack surface because they sit directly on the boundary between admin-side content modeling and front-end rendering. Field values can end up inside templates, blocks, REST responses, and admin UIs, which means weaknesses here frequently translate into stored XSS, unauthorized data exposure, or integrity issues. Advanced Custom Fields (ACF®) version 6.7.0 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64613, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for content modeling plugins.
Affected versions
Min 6.7.2, max 6.7.2.
Status
SAFE & CERTIFIED
Previous vulnerability researches
Advanced Custom Fields: Table Field (CVE-2025-12067) , Jan 27, 2026
Advanced Custom Fields: Table Field (a4db1680-e0ac-425e-90bf-306bb65b921f) , Jun 07, 2024
Advanced Custom Fields: Font Awesome Field (CVE-2025-14983) , Feb 27, 2026
Advanced Custom Fields (ACF) (CVE-2020-36172) , Jun 06, 2024
Advanced Custom Fields (ACF) (CVE-2021-20865) , Jun 06, 2024
New vulnerability
AMP Enhancer – Compatibility Layer for Official AMP Plugin (CVE-2026-2027) , Apr 16, 2026
WaveSurfer-WP (CVE-2026-1909) , Apr 16, 2026
xmlrpc attacks blocker (CVE-2026-2502) , Apr 16, 2026
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud! (CVE-2026-0831) , Apr 16, 2026
iRobots.txt SEO (CVE-2025-68840) , Apr 16, 2026