CVE-2025-54940 | THREATINT

Description

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.

PUBLISHED Reserved 2025-08-01 | Published 2025-08-08 | Updated 2025-08-08 | Assigner jpcert

LOW: 3.4CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

MEDIUM: 4.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

Code injection

Product status

prior to 6.4.3

affected

References

www.advancedcustomfields.com/.../acf-6-4-3-security-release/

jvn.jp/en/jp/JVN21048820/

cve.org (CVE-2025-54940)

nvd.nist.gov (CVE-2025-54940)

Download JSON