CVE-2024-45429 Overview
CVE-2024-45429 is a stored Cross-Site Scripting (XSS) vulnerability affecting Advanced Custom Fields and Advanced Custom Fields Pro, popular WordPress plugins used for creating custom field interfaces. The vulnerability allows an attacker with the 'capability' setting privilege to inject arbitrary JavaScript code through field labels, which then executes in the browser of other logged-in users with equivalent privileges.
Critical Impact
Authenticated attackers can store malicious scripts in field labels that execute in the context of other privileged users, potentially leading to session hijacking, administrative account compromise, or further attacks against the WordPress installation.
Affected Products
- Advanced Custom Fields versions 6.3.5 and earlier
- Advanced Custom Fields Pro versions 6.3.5 and earlier
- WordPress installations using vulnerable versions of these plugins
Discovery Timeline
- 2024-09-04 - CVE-2024-45429 published to NVD
- 2025-03-25 - Last updated in NVD database
Technical Details for CVE-2024-45429
Vulnerability Analysis
This stored XSS vulnerability exists within the field label handling functionality of the Advanced Custom Fields plugin. The plugin fails to properly sanitize user-supplied input when administrators or users with the 'capability' setting privilege create or modify custom field labels. This allows malicious script content to be persisted in the database and subsequently rendered without proper output encoding when other users view or interact with these fields.
The attack requires user interaction, as the victim must navigate to a page where the malicious field label is displayed. The vulnerability has a changed scope, meaning the vulnerable component (the plugin) impacts resources beyond its security scope (the victim's browser session). The exploitation results in potential disclosure of sensitive information and integrity violations through script execution.
Root Cause
The root cause of CVE-2024-45429 is insufficient input validation and output encoding in the field label processing functionality. When field labels are stored, the plugin does not adequately sanitize special characters or HTML/JavaScript content. Subsequently, when these labels are rendered in the WordPress admin interface, they are output without proper escaping, allowing any embedded scripts to execute in the context of the viewing user's session.
Attack Vector
The attack vector is network-based and requires low complexity to exploit. An attacker must first obtain access to a WordPress account with the 'capability' setting privilege, which controls access to ACF field management. Once authenticated, the attacker navigates to the field configuration interface and creates or modifies a field, inserting malicious JavaScript in the field label parameter.
When another user with similar or higher privileges (including administrators) accesses a page displaying the compromised field label, the malicious script executes within their authenticated browser session. This can be leveraged to steal session cookies, perform actions on behalf of the victim, or further escalate access within the WordPress installation.
Detection Methods for CVE-2024-45429
Indicators of Compromise
- Unexpected or suspicious JavaScript code present in ACF field label values in the WordPress database
- Unusual field configurations containing script tags, event handlers, or encoded JavaScript
- Browser developer console showing XSS warnings or unexpected script execution on ACF-related admin pages
- Audit logs indicating unauthorized modifications to ACF field group configurations
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in POST requests to ACF configuration endpoints
- Monitor WordPress database tables for ACF field configurations containing suspicious patterns like <script>, javascript:, or event handlers
- Deploy Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
- Review access logs for unusual activity patterns involving ACF field management endpoints
Monitoring Recommendations
- Enable and regularly review WordPress activity logs for field group creation and modification events
- Configure real-time alerting for database changes to ACF-related tables
- Implement browser-based monitoring for CSP violation reports from admin users
- Establish baseline behavior for ACF administrative operations to identify anomalous activity
How to Mitigate CVE-2024-45429
Immediate Actions Required
- Update Advanced Custom Fields to version 6.3.6 or later immediately
- Update Advanced Custom Fields Pro to version 6.3.6 or later immediately
- Audit existing field configurations for any suspicious content in field labels
- Review user accounts with ACF management capabilities and revoke unnecessary privileges
Patch Information
WP Engine has released version 6.3.6 of both Advanced Custom Fields and Advanced Custom Fields Pro to address this vulnerability. The patch implements proper input sanitization and output encoding for field label content. Administrators should update through the WordPress plugin management interface or download the latest version from the WordPress Plugin Directory. Additional details about the security fix are available in the ACF 6.3.6 release announcement.
Workarounds
- Restrict the 'capability' setting privilege to only trusted administrators until the patch can be applied
- Implement a Web Application Firewall with XSS detection rules targeting ACF endpoints
- Enable Content Security Policy headers with strict inline script restrictions on the WordPress admin area
- Regularly audit field configurations and remove any suspicious or unexpected content from field labels
# Example: Restrict ACF field editing capabilities in wp-config.php
# Add before "That's all, stop editing!" line
# Limit ACF field group editing to super admins only
define('ACF_LITE', true);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
