CVE-2023-6701 in Advanced Custom Fields Plugin
Summary
by MITRE • 02/06/2024
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The Advanced Custom Fields plugin for WordPress represents one of the most widely used tools for extending WordPress functionality through custom content management capabilities. This plugin enables administrators to create custom fields and content types beyond WordPress's standard offerings, making it an essential component for many websites and applications. However, the vulnerability identified in CVE-2023-6701 exposes a critical weakness in the plugin's handling of user input within custom text fields, affecting all versions up to and including 6.2.4. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate and sanitize user-supplied data before it is stored in the database and subsequently rendered on web pages. This flaw specifically impacts the plugin's custom text field functionality, where malicious actors can exploit the insufficient validation to inject malicious scripts that persist in the database.
The technical nature of this vulnerability places it firmly within the category of stored cross-site scripting attacks, which are classified under CWE-0000079 in the Common Weakness Enumeration system. This vulnerability allows authenticated attackers who possess contributor-level access or higher to execute malicious code within the context of other users' browsers. The attack vector specifically targets the custom text field implementation where user input is not properly sanitized before being stored and later displayed. When a victim accesses a page containing the maliciously injected script, the code executes automatically in their browser, potentially leading to session hijacking, data theft, or further exploitation of the victim's privileges. The vulnerability's impact is particularly concerning because it leverages the trust relationship between users and the WordPress platform, allowing attackers to bypass normal security controls that protect against reflected XSS attacks.
The operational impact of CVE-2023-6701 extends beyond simple script execution, as it creates a persistent threat that can affect multiple users over time. Since the malicious scripts are stored in the database rather than being reflected in URLs, they remain active until manually removed or the vulnerability is patched. This stored nature means that even if an attacker's initial access is temporary, their injected scripts continue to execute whenever any user with appropriate permissions views affected pages. The vulnerability particularly affects websites where contributors or higher-level users have the ability to create or modify custom fields, which is common in many WordPress installations. Attackers can leverage this to gain access to sensitive information, manipulate content, or establish persistence within the affected WordPress environment. The attack follows the typical STIX pattern of exploiting authentication bypasses and privilege escalation to achieve persistent malicious access to systems.
The exploitation of this vulnerability aligns with several tactics outlined in the MITRE ATT&CK framework, particularly those related to initial access and execution phases. The vulnerability enables attackers to achieve code execution through legitimate administrative interfaces, making it difficult to detect through traditional security monitoring. Organizations should implement immediate mitigations including updating to the latest version of the Advanced Custom Fields plugin, which addresses the input sanitization and output escaping issues. Additionally, implementing proper input validation and output encoding practices, along with restricting contributor-level access to only necessary administrative functions, can significantly reduce the attack surface. Security monitoring should include checks for unusual content modifications in custom fields, and regular vulnerability assessments should be conducted to identify similar weaknesses in other plugins or themes. The incident highlights the critical importance of input validation in web applications and demonstrates how seemingly minor security flaws can lead to significant compromise opportunities in content management systems.