The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-49593

CVE-2024-49593: Advanced Custom Fields XSS Vulnerability

CVE-2024-49593 is a stored cross-site scripting vulnerability in Advanced Custom Fields and Secure Custom Fields plugins for WordPress. Attackers can execute malicious scripts via the Field Group editor. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated: May 15, 2026

CVE-2024-49593 Overview

CVE-2024-49593 is a stored cross-site scripting (XSS) vulnerability affecting the Advanced Custom Fields (ACF) and Secure Custom Fields plugins for WordPress. The flaw exists in versions of ACF before 6.3.9 and Secure Custom Fields before 6.3.6.3. An attacker can plant a stored XSS payload that executes when an administrator or editor opens the affected field inside the Field Group editor. The issue is tracked under CWE-79 and primarily impacts confidentiality of administrative sessions in WordPress sites that rely on these custom field plugins.

Critical Impact

A stored XSS payload triggered through the Field Group editor can execute in the context of authenticated WordPress users, exposing session data and enabling further actions in the admin interface.

Affected Products

  • Advanced Custom Fields (ACF) plugin for WordPress versions prior to 6.3.9
  • Secure Custom Fields plugin for WordPress versions prior to 6.3.6.3
  • WordPress sites using the Field Group editor feature of either plugin

Discovery Timeline

  • 2024-10-17 - CVE-2024-49593 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-49593

Vulnerability Analysis

The vulnerability is a stored cross-site scripting issue in the Field Group editor component of ACF and its Secure Custom Fields fork. Field group definitions in ACF are persisted in the WordPress database and rendered back into the administrator UI when an editor opens a field for modification. The plugins fail to properly sanitize or escape attacker-controlled values stored in field configuration before rendering them in the editor view. When a privileged user edits an affected field, the stored payload executes in the browser as part of the WordPress admin page. The vulnerability requires no user interaction beyond opening the field group in the editor, and it operates entirely within the authenticated admin context.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The plugins write field metadata into administrative views without applying contextually correct output encoding. Any account capable of influencing field group data, whether through legitimate plugin features or chained vulnerabilities, can persist a payload that later runs in the admin UI.

Attack Vector

The attack is network-based and does not require authentication or user interaction by the victim beyond normal use of the plugin. An attacker who can introduce malicious content into a field group, for example through a lower-privileged role with field editing rights or via a separate input vector that writes to ACF data, stores the payload in the database. The payload runs when a higher-privileged user opens that field in the Field Group editor, potentially exposing cookies, nonces, and other browser-accessible session material.

No verified proof-of-concept code is published for CVE-2024-49593. See the ACF Changelog and the WordPress plugin page for the vendor description of the fix.

Detection Methods for CVE-2024-49593

Indicators of Compromise

  • Unexpected <script> tags, event handler attributes such as onerror or onload, or javascript: URIs stored in ACF field group records inside the wp_posts or wp_postmeta tables.
  • Outbound requests from administrator browsers to unknown domains immediately after opening a Field Group in wp-admin.
  • New or modified administrator accounts, plugin installations, or theme edits performed shortly after an admin session with the ACF editor.

Detection Strategies

  • Audit ACF field group entries in the WordPress database for HTML and JavaScript syntax in fields that should contain only plain text labels, names, or instructions.
  • Review web server access logs for POST requests to admin-ajax.php and ACF endpoints that contain script-like payloads in field configuration parameters.
  • Compare installed plugin versions against 6.3.9 for ACF and 6.3.6.3 for Secure Custom Fields, flagging any host running an older release.

Monitoring Recommendations

  • Forward WordPress audit logs and web server logs to a centralized analytics platform and alert on script patterns within ACF-related parameters.
  • Monitor administrator session activity for anomalous nonce usage or actions executed immediately after Field Group editor page loads.
  • Track plugin version drift across managed WordPress estates so that vulnerable ACF and Secure Custom Fields instances surface for remediation.

How to Mitigate CVE-2024-49593

Immediate Actions Required

  • Update Advanced Custom Fields to version 6.3.9 or later, or Secure Custom Fields to version 6.3.6.3 or later, on every WordPress installation.
  • Inventory all WordPress sites that include ACF or Secure Custom Fields and confirm the running version through the plugin manager or wp plugin list.
  • Review and clean existing field group definitions for any stored HTML or JavaScript content that should not be present.

Patch Information

The vendor addressed the vulnerability in Advanced Custom Fields 6.3.9 and Secure Custom Fields 6.3.6.3. Operators using the WP Engine update channel for the free version of ACF should follow the process described in the ACF upgrade guide. Release notes are available in the ACF Changelog and the vendor status update.

Workarounds

  • Restrict access to the Field Group editor to a minimal set of trusted administrators until the patched version is deployed.
  • Deploy a web application firewall rule that blocks script tags and JavaScript event handlers in POST requests to ACF administration endpoints.
  • Disable the ACF or Secure Custom Fields plugin on sites where an immediate upgrade is not feasible and field group editing is not required.
bash
# Configuration example: upgrade ACF using WP-CLI
wp plugin update advanced-custom-fields --version=6.3.9
wp plugin list --name=advanced-custom-fields --fields=name,status,version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS

  • Vendor/TechWordpress

  • SeverityMEDIUM

  • CVSS Score5.3

  • EPSS Probability0.92%

  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • WordPress Plugin Documentation

  • ACF Blog Upgrade Guide

  • ACF Changelog Information

  • ACF Twitter Status Update
  • Related CVEs
  • CVE-2026-1543: Avada Builder WordPress XSS Vulnerability

  • CVE-2026-4811: WPB Floating Menu Plugin XSS Vulnerability

  • CVE-2026-7613: WordPress Cost of Goods Plugin XSS Flaw

  • CVE-2026-5776: Email Encoder WordPress Plugin XSS Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English