WordPress Advanced Custom Fields: Table Field 1.1.12 XSS


Software: Advanced Custom Fields: Table Field
Version: 1.1.12
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/
Advisory report: https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)


Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can


This plugin allows users (who haveA permission to edit posts) to inject JavaScript into pages within /wp-admin/. ThisA means aA user canA exceed their privileges by creating a script that causes an adminas browser to perform an action,A such as creating a new admin user, deleting all posts, etc.

Proof of concept


Add a new ACF field group
Add a new table-type field to that field group
Create a new post/page, wherever the field group is set to display
Enter a

a into a field and save the post
Visit the page again, and the injected JavaScript will be executed

Tested with ACF PRO v5. Not tested with v4.


Update toA versionA 1.1.13 or later.

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.



2016-07-13: Discovered
2016-07-13: Reported to vendor byA email
2016-07-13: Requested CVE
2016-07-13: Vendoras autoresponder saidA they were unavailable until 1st August
2016-08-01: Vendor reported they were working on a fix
2016-08-01: Vendor reported issue fixed in 1.1.13
2016-08-08: Advisory published

Discovered by dxw

Tom Adams
Please visit security.dxw.com for more information.