Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from runni
CVE-2025-14533
CRITICAL CVSS 9.8
Find Similar
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query en
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users t
In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user i
The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tamper
Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting p
The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' f
The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficie
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output
CVE-2025-13486
CRITICAL CVSS 9.8
Find Similar
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accept
CVE-2026-4882
CRITICAL CVSS 9.8
Find Similar
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to,
CVE-2026-8809
CRITICAL CVSS 9.8
Find Similar
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the a
The WPC Admin Columns plugin for WordPress is vulnerable to privilege escalation in versions 2.0.6 to 2.1.0. This is due to the plugin not properly restricting user meta values that can be updated thr
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and i
The WP Custom Fields Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpcfs-preset shortcode in all versions up to, and including, 1.2.35 due to insufficient i
The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used ag
Page 1+ Next →