Stored Cross-Site Scripting in Sympl Repeater for ACF and Elementor Plugin
CVE-2026-10570
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2026-10570?
The Sympl Repeater for ACF and Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through ACF repeater field values in all versions up to 2.3. This vulnerability arises from inadequate input sanitization and output escaping within the symp_arfe_replace_content() function. It improperly substitutes raw ACF field values into Elementor-generated HTML without escaping, allowing authenticated users with Author-level access and above to inject malicious scripts. These scripts execute when other users access the compromised pages.
Affected Version(s)
Sympl Repeater for ACF and Elementor 0 <= 2.3