{"id":7843,"date":"2025-08-08T17:01:45","date_gmt":"2025-08-08T15:01:45","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=7843"},"modified":"2025-08-15T17:37:42","modified_gmt":"2025-08-15T15:37:42","slug":"acf-faille-cve-2025-54940","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite\/acf-faille-cve-2025-54940\/","title":{"rendered":"ACF: CVE-2025-54940: why 6.4.3 is still a must-have update (even if the CVSS score is moderate)"},"content":{"rendered":"<p class=\"translation-block\">Advanced Custom Fields (ACF) powers more than 2 million WordPress sites. On 08\/08\/2025, a vulnerability referenced <strong>CVE-2025-54940<\/strong> was published. It concerns <strong>HTML injections<\/strong> possible in certain uses of ACF up to and including <strong>version 6.4.2<\/strong>. The WPEngine editor has delivered a <strong>correction in 6.4.3<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Details of the CVSS flaw<\/h3>\n\n\n\n<p class=\"translation-block\">CVE: <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940\" target=\"_blank\" rel=\"noopener\">CVE-2025-54940<\/a><br>Base score: 4.6<br>Published on: 08\/08\/2025<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:H\/UI:A\/VC:N\/VI:N\/VA:N\/SC:N\/SI:L\/SA:N \u2192 Base 4.6<br>CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:C\/C:N\/I:L\/A:N \u2192 Base 3.4<br><\/code><\/pre>\n\n\n\n<p class=\"translation-block\">Translation: remote exploitation possible, not very complex, but <strong>high rights required<\/strong> and <strong>user interaction<\/strong> necessary; impact mainly on <strong>integrity<\/strong> (content injection\/modification), not on confidentiality or availability. Hence a \"moderate\" score - but not one to be ignored.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What vulnerability does<\/h2>\n\n\n\n<p class=\"translation-block\"><strong>Concretely, a user with access to custom fields can insert HTML code that will be displayed as is on pages.<\/strong><br>Result: degraded rendering, <strong>trickery of visitors<\/strong> via trapped content (fake buttons, banners, links), and <strong>trempline to XSS<\/strong> depending on how your theme\/blocks redisplay these fields.<\/p>\n\n\n\n<p class=\"translation-block\">On the <strong>administration<\/strong> side, ACF points out that unintentional <strong>import of malicious content<\/strong> (e.g. via JSON of field groups) could also pose a problem in certain use cases.<\/p>\n\n\n\n<p class=\"translation-block\">Finally, we can assume that <strong>in certain ACF contexts<\/strong>, <strong>simple content editing<\/strong> by a user (not necessarily admin) could be enough to exploit the flaw.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why bother if the score is \"only\" 4.6?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\"><strong>Exposure area<\/strong> huge (massively deployed plugin).<\/li>\n\n\n\n<li class=\"translation-block\">The \"<strong>PR:H + UI:A<\/strong>\" combination won't protect you if you have several powerful administrators\/editors, if you import third-party JSON, or if automations process ACF content.<\/li>\n\n\n\n<li class=\"translation-block\">The impact may seem \"visual\", but a proximity XSS can become an <strong>escalation lever<\/strong> (admin session theft, third-party script injection, etc.) if the escape is lax.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Versions affected and patch<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\"><strong>Vulnerable<\/strong>: ACF \u2264 <strong>6.4.2<\/strong> (depending on integration context and escapement).<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Correction<\/strong>: <strong>6.4.3<\/strong> (ACF and ACF PRO).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Plausible operating scenarios<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Insertion of <strong>trapped HTML<\/strong> in an ACF field displayed \"raw\" by the theme \u2192 dummy buttons, pop-ups, redirects.<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Internal phishing<\/strong>: content resembling legitimate components (CTAs, forms) to trick users.<\/li>\n\n\n\n<li><strong>Chain to XSS<\/strong> if the output is not secured (<code>esc_html<\/code>, <code>esc_attr<\/code>, <code>wp_kses<\/code>etc.).<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Import<\/strong> groups of fields (JSON) containing malicious values, then re-posted in admin or front-end.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">What to do now (priorities)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"translation-block\"><strong>Update ACF to 6.4.3<\/strong> everywhere (prod, preprod, clones).<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Developers: check the escaping<\/strong> of ACF fields in theme\/blocs\/shortcodes: never display \"raw\" what comes from a field.<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Check rights<\/strong>: who can create\/edit fields, import JSON, publish rich content?<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Avoid unreliable imports<\/strong>: don't load groups of fields from external sources without auditing. A good reminder.<\/li>\n\n\n\n<li class=\"translation-block\"><strong>Monitor<\/strong>: active WAF, admin logs, alerts on template\/sensitive page modifications.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Recommended hardening (bonus)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Deploy a <strong>Content-Security-Policy<\/strong> to limit the execution of unexpected scripts.<\/li>\n\n\n\n<li class=\"translation-block\">Centralize ACF output via <strong>helpers who systematically escape<\/strong>.<\/li>\n\n\n\n<li class=\"translation-block\">Replay critical pages with an <strong>XSS scanner<\/strong> and crawl for unexpected HTML elements.<\/li>\n\n\n\n<li class=\"translation-block\">Activate a WAF (application firewall), as <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\" target=\"_self\">default on LRob hosting<\/a>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\"My site looks healthy, can I wait?\"<\/h3>\n\n\n\n<p>Bad idea: the cost of an MEP is minimal compared to the risk of content detour on key pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\"My theme already escapes variables, am I covered?\"<\/h3>\n\n\n\n<p>You reduce the risk, but <strong>update anyway<\/strong> you don't master all the entry points (imports, third-party blocks\/shortcodes).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\"I can't patch today\".<\/h3>\n\n\n\n<p>Activate a <strong>WAF<\/strong>, <strong>freeze<\/strong> non-essential accounts, <strong>deactivates<\/strong> temporarily the \"rich\" displays likely to be injected, then schedule the update as soon as possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JVN (detailed sheet, CVSS v4.0 4.6 &amp; v3.0 3.4) : <a href=\"https:\/\/jvn.jp\/en\/jp\/JVN21048820\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/jvn.jp\/en\/jp\/JVN21048820\/<\/a><\/li>\n\n\n\n<li>CVE Program (Official CVE Record) : <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54940<\/a><\/li>\n\n\n\n<li>ACF Announcement - Security release 6.4.3 : <a href=\"https:\/\/www.advancedcustomfields.com\/blog\/acf-6-4-3-security-release\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.advancedcustomfields.com\/blog\/acf-6-4-3-security-release\/<\/a><\/li>\n\n\n\n<li>ACF plug-in sheet (active installations, changelog) : <a href=\"https:\/\/wordpress.org\/plugin\/advanced-custom-fields\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/wordpress.org\/plugin\/advanced-custom-fields\/<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>An HTM injection flaw affects Advanced Custom Fields up to version 6.4.2. Moderate risk, but must be corrected quickly to avoid degradations, phishing or XSS.<\/p>","protected":false},"author":1,"featured_media":7844,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-7843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=7843"}],"version-history":[{"count":2,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7843\/revisions"}],"predecessor-version":[{"id":8037,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/7843\/revisions\/8037"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/7844"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=7843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=7843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=7843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}