CVE-2024-49593 Overview
CVE-2024-49593 is a stored cross-site scripting (XSS) vulnerability affecting the Advanced Custom Fields (ACF) and Secure Custom Fields plugins for WordPress. The flaw exists in versions of ACF before 6.3.9 and Secure Custom Fields before 6.3.6.3. An attacker can plant a stored XSS payload that executes when an administrator or editor opens the affected field inside the Field Group editor. The issue is tracked under CWE-79 and primarily impacts confidentiality of administrative sessions in WordPress sites that rely on these custom field plugins.
Critical Impact
A stored XSS payload triggered through the Field Group editor can execute in the context of authenticated WordPress users, exposing session data and enabling further actions in the admin interface.
Affected Products
- Advanced Custom Fields (ACF) plugin for WordPress versions prior to 6.3.9
- Secure Custom Fields plugin for WordPress versions prior to 6.3.6.3
- WordPress sites using the Field Group editor feature of either plugin
Discovery Timeline
- 2024-10-17 - CVE-2024-49593 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-49593
Vulnerability Analysis
The vulnerability is a stored cross-site scripting issue in the Field Group editor component of ACF and its Secure Custom Fields fork. Field group definitions in ACF are persisted in the WordPress database and rendered back into the administrator UI when an editor opens a field for modification. The plugins fail to properly sanitize or escape attacker-controlled values stored in field configuration before rendering them in the editor view. When a privileged user edits an affected field, the stored payload executes in the browser as part of the WordPress admin page. The vulnerability requires no user interaction beyond opening the field group in the editor, and it operates entirely within the authenticated admin context.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The plugins write field metadata into administrative views without applying contextually correct output encoding. Any account capable of influencing field group data, whether through legitimate plugin features or chained vulnerabilities, can persist a payload that later runs in the admin UI.
Attack Vector
The attack is network-based and does not require authentication or user interaction by the victim beyond normal use of the plugin. An attacker who can introduce malicious content into a field group, for example through a lower-privileged role with field editing rights or via a separate input vector that writes to ACF data, stores the payload in the database. The payload runs when a higher-privileged user opens that field in the Field Group editor, potentially exposing cookies, nonces, and other browser-accessible session material.
No verified proof-of-concept code is published for CVE-2024-49593. See the ACF Changelog and the WordPress plugin page for the vendor description of the fix.
Detection Methods for CVE-2024-49593
Indicators of Compromise
- Unexpected <script> tags, event handler attributes such as onerror or onload, or javascript: URIs stored in ACF field group records inside the wp_posts or wp_postmeta tables.
- Outbound requests from administrator browsers to unknown domains immediately after opening a Field Group in wp-admin.
- New or modified administrator accounts, plugin installations, or theme edits performed shortly after an admin session with the ACF editor.
Detection Strategies
- Audit ACF field group entries in the WordPress database for HTML and JavaScript syntax in fields that should contain only plain text labels, names, or instructions.
- Review web server access logs for POST requests to admin-ajax.php and ACF endpoints that contain script-like payloads in field configuration parameters.
- Compare installed plugin versions against 6.3.9 for ACF and 6.3.6.3 for Secure Custom Fields, flagging any host running an older release.
Monitoring Recommendations
- Forward WordPress audit logs and web server logs to a centralized analytics platform and alert on script patterns within ACF-related parameters.
- Monitor administrator session activity for anomalous nonce usage or actions executed immediately after Field Group editor page loads.
- Track plugin version drift across managed WordPress estates so that vulnerable ACF and Secure Custom Fields instances surface for remediation.
How to Mitigate CVE-2024-49593
Immediate Actions Required
- Update Advanced Custom Fields to version 6.3.9 or later, or Secure Custom Fields to version 6.3.6.3 or later, on every WordPress installation.
- Inventory all WordPress sites that include ACF or Secure Custom Fields and confirm the running version through the plugin manager or wp plugin list.
- Review and clean existing field group definitions for any stored HTML or JavaScript content that should not be present.
Patch Information
The vendor addressed the vulnerability in Advanced Custom Fields 6.3.9 and Secure Custom Fields 6.3.6.3. Operators using the WP Engine update channel for the free version of ACF should follow the process described in the ACF upgrade guide. Release notes are available in the ACF Changelog and the vendor status update.
Workarounds
- Restrict access to the Field Group editor to a minimal set of trusted administrators until the patched version is deployed.
- Deploy a web application firewall rule that blocks script tags and JavaScript event handlers in POST requests to ACF administration endpoints.
- Disable the ACF or Secure Custom Fields plugin on sites where an immediate upgrade is not feasible and field group editing is not required.
# Configuration example: upgrade ACF using WP-CLI
wp plugin update advanced-custom-fields --version=6.3.9
wp plugin list --name=advanced-custom-fields --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
