CVE-2025-54940 LOW

CVE-2025-54940

Vendor Wpengine, Inc.
Product Advanced Custom Fields
Weakness CWE-94 · Code injection
Published August 8, 2025
Last update August 8, 2025

CVSS base score

3.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Custom Fields contains a code injection vulnerability affecting versions prior to 6.4.3. An authenticated user with high privileges can inject code through a crafted request, but the user must interact with a specific page or link for the injection to execute. The vulnerability has limited integrity impact and does not affect confidentiality or availability.

What an attacker can do

03Attacker Capabilities

Inject and execute code within the site's context with the privileges of the authenticated user.

Potential impact on your site

04Site Impact

A compromised admin account could inject malicious code, potentially modifying site content or behavior, though data theft and downtime are unlikely.

Conditions required to exploit

05Prerequisites

Attacker must be authenticated with high-level privileges (e.g., administrator) and the victim must interact with a malicious link or page.

Key dates

06Disclosure timeline

August 8, 2025 CVE published
August 8, 2025 Record updated