{"id":7843,"date":"2025-08-08T17:01:45","date_gmt":"2025-08-08T15:01:45","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=7843"},"modified":"2025-08-08T17:01:45","modified_gmt":"2025-08-08T15:01:45","slug":"acf-faille-cve-2025-54940","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite\/acf-faille-cve-2025-54940\/","title":{"rendered":"ACF: CVE-2025-54940: why 6.4.3 is still a must-have update (even if the CVSS score is moderate)"},"content":{"rendered":"<p class=\"wp-block-paragraph\">Advanced Custom Fields (ACF) equips more than 2 million WordPress sites. On 08\/08\/2025, a vulnerability referenced <strong>CVE-2025-54940<\/strong> has been published. It concerns <strong>HTML injections<\/strong> possible in some ACF applications until the <strong>version 6.4.2<\/strong> included. Editor WPEngine has delivered a <strong>patch in 6.4.3<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Details of the CVSS flaw<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">CVE : <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940\" target=\"_blank\" rel=\"noopener\">CVE-2025-54940<\/a><br>Base score: 4.6<br>Published on: 08\/08\/2025<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:H\/UI:A\/VC:N\/VI:N\/VA:N\/SC:N\/SI:L\/SA:N \u2192 Base 4.6<br>CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N \u2192 Base 3.4<br><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Translation: remote operation possible, not very complex, but <strong>high fees required<\/strong> and <strong>user interaction<\/strong> necessary; impact above all on <strong>integrity<\/strong> (content injection\/modification), not on confidentiality or availability. Hence a \u201cmoderate\u201d score - but not one to be ignored.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What vulnerability does<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>In concrete terms, a user with access to custom fields can insert HTML code that will be displayed as is on the pages.<\/strong><br>Result: degraded rendering, <strong>deceiving visitors<\/strong> via booby-trapped content (fake buttons, banners, links), and <strong>springboard to XSS<\/strong> depending on how your theme\/blocks re-display these fields.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Visit <strong>administration<\/strong>, ACF indicates that the\u2019<strong>unintentional import of malicious content<\/strong> (e.g. via JSON of groups of fields) could also pose problems in certain use cases.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, we can assume that <strong>in certain contexts ACF<\/strong>, a <strong>simple content editing<\/strong> by a user (not necessarily admin) could be enough to exploit the flaw.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why bother if the score is \u201conly\u201d 4.6?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Display area<\/strong> huge (massively deployed plugin).<\/li>\n\n\n\n<li>The \u201c<strong>PR:H + UI:A<\/strong>\u201dIf you have several powerful administrators\/editors, if you import third-party JSONs, or if automations process ACF content, \"ACF\" won't protect you.<\/li>\n\n\n\n<li>The impact may seem \u201cvisual\u201d, but an XSS in the vicinity can become a major problem. <strong>climbing lever<\/strong> (admin session theft, injection of third-party scripts, etc.) if escape is lax.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Versions affected and patch<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Vulnerable<\/strong> : ACF \u2264 <strong>6.4.2<\/strong> (depending on the integration context and exhaust).<\/li>\n\n\n\n<li><strong>Corrected<\/strong> : <strong>6.4.3<\/strong> (ACF and ACF PRO).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Plausible operating scenarios<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inserting <strong>HTML trapped<\/strong> in an ACF field displayed \u201craw\u201d by the theme \u2192 dummy buttons, pop-ups, redirects.<\/li>\n\n\n\n<li><strong>Internal phishing<\/strong> Content resembling legitimate components (CTAs, forms) to trick users.<\/li>\n\n\n\n<li><strong>Chain to XSS<\/strong> if the output is not secured (<code>esc_html<\/code>, <code>esc_attr<\/code>, <code>wp_kses<\/code>, etc.).<\/li>\n\n\n\n<li><strong>Import<\/strong> groups of fields (JSON) containing malicious values, then re-displayed in admin or front-end.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What to do now (priorities)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Update ACF to 6.4.3<\/strong> everywhere (prod, preprod, clones).<\/li>\n\n\n\n<li><strong>Developers: Check the exhaust<\/strong> ACF fields in theme\/blocks\/shortcodes: never display \u201craw\u201d what comes from a field.<\/li>\n\n\n\n<li><strong>Check rights<\/strong> Who can create\/edit fields, import JSON, publish rich content?<\/li>\n\n\n\n<li><strong>Avoid unreliable imports<\/strong> Don't load groups of fields from external sources without auditing. A good reminder.<\/li>\n\n\n\n<li><strong>Watch<\/strong> WAF active, admin logs, alerts on modifications to templates\/sensitive pages.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Recommended hardening (bonus)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy a <strong>Content-Security-Policy<\/strong> to limit the execution of unexpected scripts.<\/li>\n\n\n\n<li>Centralize ACF outputs via <strong>helpers who systematically escape<\/strong>.<\/li>\n\n\n\n<li>Replay critical pages with a <strong>XSS scanner<\/strong> and a crawl in search of unexpected HTML elements.<\/li>\n\n\n\n<li>Activate a WAF (application firewall), such as <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">active by default on LRob accommodations<\/a>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u201cMy site looks healthy, can I wait?\u201d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Bad idea: the cost of an MEP is minimal compared to the risk of content detour on key pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u201cMy theme already escapes variables, am I covered?\u201d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You reduce the risk, but <strong>update anyway<\/strong> you don't master all the entry points (imports, third-party blocks\/shortcodes).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u201cI can't patch today\u201d.\u201d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Activate a <strong>WAF<\/strong>, <strong>freeze<\/strong> non-essential accounts, <strong>deactivates<\/strong> temporarily the \u201crich\u201d displays likely to be injected, then schedule the update as soon as possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JVN (detailed sheet, CVSS v4.0 4.6 &amp; v3.0 3.4) : <a href=\"https:\/\/jvn.jp\/en\/jp\/JVN21048820\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/jvn.jp\/en\/jp\/JVN21048820\/<\/a><\/li>\n\n\n\n<li>CVE Program (Official CVE Record) : <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940<\/a><\/li>\n\n\n\n<li>ACF Announcement - Security release 6.4.3 : <a href=\"https:\/\/www.advancedcustomfields.com\/blog\/acf-6-4-3-security-release\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.advancedcustomfields.com\/blog\/acf-6-4-3-security-release\/<\/a><\/li>\n\n\n\n<li>ACF plug-in sheet (active installations, changelog) : <a href=\"https:\/\/wordpress.org\/plugin\/advanced-custom-fields\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/wordpress.org\/plugin\/advanced-custom-fields\/<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>An HTM injection flaw affects Advanced Custom Fields up to version 6.4.2. Moderate risk, but must be corrected quickly to avoid degradations, phishing or XSS.<\/p>","protected":false},"author":1,"featured_media":7844,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ai_generated_summary":"","footnotes":""},"categories":[45],"tags":[],"class_list":["post-7843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=7843"}],"version-history":[{"count":0,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7843\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/7844"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=7843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=7843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=7843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}