XSS Vulnerability in NotFound Advanced Custom Fields Plugin by WordPress
CVE-2025-26746
7.1HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 15 April 2025
What is CVE-2025-26746?
A vulnerability exists in the NotFound Advanced Custom Fields: Link Picker Field plugin, allowing attackers to execute arbitrary scripts in users' browsers through reflected XSS. This issue affects versions from n/a up to 1.2.8 of the plugin, potentially compromising user sessions and data integrity.
Affected Version(s)
Advanced Custom Fields: Link Picker Field <= 1.2.8