vulnerability
WordPress Plugin: advanced-custom-fields: CVE-2022-40696: Exposure of Sensitive Information to an Unauthorized Actor
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | Oct 18, 2022 | May 15, 2025 | May 5, 2026 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Oct 18, 2022
Added
May 15, 2025
Modified
May 5, 2026
Description
The Advanced Custom Fields plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 6.0.2. While the ACF shortcode ensures that the ACF data being accessed is valid data that has been entered into ACF fields, it may be possible with certain site configurations, that contributor-level users may extract sensitive user or configuration data.
Solution
advanced-custom-fields-plugin-cve-2022-40696
References
- https://www.cve.org/CVERecord?id=CVE-2022-40696
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6b26093a-ffb8-4d22-add1-eecd94f88129?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-43967
- CVE-2022-40696
- https://attackerkb.com/topics/CVE-2022-40696
- CWE-200
- EUVD-EUVD-2022-43967
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.