HTML Injection Vulnerability in Advanced Custom Fields Plugin for WordPress
CVE-2025-54940

4.6MEDIUM

Key Information:

Vendor

WordPress
Status
Advanced Custom Fields
Vendor
CVE Published:
8 August 2025

What is CVE-2025-54940?

An HTML injection vulnerability has been identified in the Advanced Custom Fields plugin for WordPress, which affects all versions released prior to 6.4.3. This flaw allows malicious users to inject crafted HTML code into the plugin, potentially altering the display of pages and compromising the integrity of the affected website. Exploiting this vulnerability could lead to unexpected behavior on web pages, making it crucial for users to update their plugins to the latest secure version to mitigate risks. For further details on remediation, please check the official security release.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Advanced Custom Fields prior to 6.4.3

References

https://www.advancedcustomfields.com/blog/acf-6-4-3-secur...
https://jvn.jp/en/jp/JVN21048820/

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

CVSS V3.0

Score:
3.4
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.