ACF: CVE-2025-54940: why 6.4.3 is still a must-have update (even if the CVSS score is moderate)

August 8, 2025

An HTM injection flaw affects Advanced Custom Fields up to version 6.4.2. Moderate risk, but must be corrected quickly to avoid degradations, phishing or XSS.

[rank_math_breadcrumb]

Advanced Custom Fields (ACF) equips more than 2 million WordPress sites. On 08/08/2025, a vulnerability referenced CVE-2025-54940 has been published. It concerns HTML injections possible in some ACF applications until the version 6.4.2 included. Editor WPEngine has delivered a patch in 6.4.3.

Details of the CVSS flaw

CVE : CVE-2025-54940
Base score: 4.6
Published on: 08/08/2025

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N → Base 4.6
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N → Base 3.4

Translation: remote operation possible, not very complex, but high fees required and user interaction necessary; impact above all on integrity (content injection/modification), not on confidentiality or availability. Hence a “moderate” score - but not one to be ignored.

What vulnerability does

In concrete terms, a user with access to custom fields can insert HTML code that will be displayed as is on the pages.
Result: degraded rendering, deceiving visitors via booby-trapped content (fake buttons, banners, links), and springboard to XSS depending on how your theme/blocks re-display these fields.

Visit administration, ACF indicates that the’unintentional import of malicious content (e.g. via JSON of groups of fields) could also pose problems in certain use cases.

Finally, we can assume that in certain contexts ACF, a simple content editing by a user (not necessarily admin) could be enough to exploit the flaw.

Why bother if the score is “only” 4.6?

Display area huge (massively deployed plugin).
The “PR:H + UI:A”If you have several powerful administrators/editors, if you import third-party JSONs, or if automations process ACF content, "ACF" won't protect you.
The impact may seem “visual”, but an XSS in the vicinity can become a major problem. climbing lever (admin session theft, injection of third-party scripts, etc.) if escape is lax.

Versions affected and patch

Vulnerable : ACF ≤ 6.4.2 (depending on the integration context and exhaust).
Corrected : 6.4.3 (ACF and ACF PRO).

Plausible operating scenarios

Inserting HTML trapped in an ACF field displayed “raw” by the theme → dummy buttons, pop-ups, redirects.
Internal phishing Content resembling legitimate components (CTAs, forms) to trick users.
Chain to XSS if the output is not secured (esc_html, esc_attr, wp_kses, etc.).
Import groups of fields (JSON) containing malicious values, then re-displayed in admin or front-end.

What to do now (priorities)

Update ACF to 6.4.3 everywhere (prod, preprod, clones).
Developers: Check the exhaust ACF fields in theme/blocks/shortcodes: never display “raw” what comes from a field.
Check rights Who can create/edit fields, import JSON, publish rich content?
Avoid unreliable imports Don't load groups of fields from external sources without auditing. A good reminder.
Watch WAF active, admin logs, alerts on modifications to templates/sensitive pages.

Recommended hardening (bonus)

Deploy a Content-Security-Policy to limit the execution of unexpected scripts.
Centralize ACF outputs via helpers who systematically escape.
Replay critical pages with a XSS scanner and a crawl in search of unexpected HTML elements.
Activate a WAF (application firewall), such as active by default on LRob accommodations.

FAQ

“My site looks healthy, can I wait?”

Bad idea: the cost of an MEP is minimal compared to the risk of content detour on key pages.

“My theme already escapes variables, am I covered?”

You reduce the risk, but update anyway you don't master all the entry points (imports, third-party blocks/shortcodes).

“I can't patch today”.”

Activate a WAF, freeze non-essential accounts, deactivates temporarily the “rich” displays likely to be injected, then schedule the update as soon as possible.