Advanced Custom Fields is one of the most-used WordPress plugins. It has security vulnerabilities from time to time like many other popular WordPress plugins. Mr. Rafie Muhammad of Patchstack, who first discovered the vulnerability in February 2023 and discovered a second vulnerability on May 2, described the now-patched issue:
This plugin suffers from reflected XSS vulnerability. This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged user to visit the crafted URL path. The described vulnerability was fixed in version 6.1.6 and assigned CVE-2023-30777.
Fortunately, ACF fixed the identified issue on May 6.
We do not use Advanced Custom Fields here at The New Leaf Journal. My custom fields needs are minimal and not beyond the scope of WordPress’s native custom fields, although my lack of coding expertise means that I need clear guides and docs to make native custom fields useful. If you run a WordPress site and want to try native custom fields instead of a plugin such as ACF or Metabox, you may be wondering what I am talking about? Where are these custom fields!? For whatever reason, WordPress does not show native custom fields in the editor by default. CSS Tricks explained how to enable them here. While every site is different and some have more complicated needs than The New Leaf Journal, webmasters should consider checking whether WordPress’s native custom fields are sufficient for their needs (assuming they have custom fields needs at all) before turning to a heavier plugin solution.