WP-Safety

ACF Quick Edit Fields Security & Risk Analysis

wordpress.org/plugins/acf-quickedit-fields

Enable Columns, Filters, Quick Edit and Bulk Edit for ACF Fields in WordPress List Tables

30K active installs v3.3.8 PHP 5.6+ WP 4.7+ Updated Jan 11, 2025
acfbulk-editcolumnsquickedit
92
A · Safe
CVEs total1
Unpatched0
Last CVEDec 5, 2022
Plugin page Download
Safety Verdict

Is ACF Quick Edit Fields Safe to Use in 2026?

Generally Safe

Score 92/100

ACF Quick Edit Fields has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 5, 2022Updated 1yr ago
Risk Assessment

The ACF Quickedit Fields plugin v3.3.8 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and effectively escaping most output. It also shows a robust implementation of capability checks and a single nonce check. However, the presence of three AJAX handlers without any authentication checks is a significant concern, creating a substantial attack surface that could be exploited by unauthenticated users.

The static analysis revealed two flows with unsanitized paths, although these were not flagged as critical or high severity. The vulnerability history indicates a past medium-severity vulnerability related to Authorization Bypass Through User-Controlled Key, and the fact that there are no currently unpatched CVEs is a positive sign. Despite the absence of critical vulnerabilities in the current version, the unprotected AJAX endpoints remain a primary risk. The plugin's history suggests a potential for authorization vulnerabilities, which, when combined with the exposed AJAX endpoints, could lead to serious security compromises if exploited.

In conclusion, while the plugin uses secure coding practices for database interactions and output handling, the significant number of unprotected AJAX entry points presents a clear and present danger. The past authorization bypass vulnerability further underscores the need for diligent security reviews. Users should be aware that this plugin has potential for exploitation due to its exposed AJAX functionality.

Key Concerns

  • Unprotected AJAX handlers present
  • Flows with unsanitized paths found
  • Past medium severity vulnerability
Vulnerabilities
1

ACF Quick Edit Fields Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-7286medium · 6.5Authorization Bypass Through User-Controlled Key

ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference

Dec 5, 2022 Patched in 3.2.3 (681d)
Code Analysis
Analyzed Mar 16, 2026

ACF Quick Edit Fields Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
7 prepared
Unescaped Output
9
82 escaped
Nonce Checks
1
Capability Checks
13
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared7 total queries

Output Escaping

90% escaped91 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
render_filters (include\ACFQuickEdit\Admin\Filters.php:127)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

ACF Quick Edit Fields Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_acf/field_group/render_field_settingsinclude\ACFQuickEdit\Admin\Admin.php:88
authwp_ajax_pll_update_post_rowsinclude\ACFQuickEdit\Compat\Polylang.php:30
authwp_ajax_pll_update_term_rowsinclude\ACFQuickEdit\Compat\Polylang.php:31
WordPress Hooks 56
actionafter_setup_themeinclude\ACFQuickEdit\Admin\Admin.php:84
actionacf/field_group/admin_headinclude\ACFQuickEdit\Admin\Admin.php:87
filteracf/load_field_groupinclude\ACFQuickEdit\Admin\Admin.php:90
actionadmin_noticesinclude\ACFQuickEdit\Admin\Admin.php:135
actionload-edit.phpinclude\ACFQuickEdit\Admin\Admin.php:154
actionload-edit-tags.phpinclude\ACFQuickEdit\Admin\Admin.php:155
actionload-users.phpinclude\ACFQuickEdit\Admin\Admin.php:156
actionacf/field_group/admin_enqueue_scriptsinclude\ACFQuickEdit\Admin\Admin.php:157
filterposts_searchinclude\ACFQuickEdit\Admin\BackendSearch.php:61
filterposts_joininclude\ACFQuickEdit\Admin\BackendSearch.php:88
filterposts_groupbyinclude\ACFQuickEdit\Admin\BackendSearch.php:100
filterterms_clausesinclude\ACFQuickEdit\Admin\BackendSearch.php:121
actionpre_user_queryinclude\ACFQuickEdit\Admin\BackendSearch.php:156
filteruser_search_columnsinclude\ACFQuickEdit\Admin\BackendSearch.php:162
filteracf/validate_valueinclude\ACFQuickEdit\Admin\Bulkedit.php:99
actionbulk_edit_custom_boxinclude\ACFQuickEdit\Admin\Bulkedit.php:104
filteradmin_body_classinclude\ACFQuickEdit\Admin\Columns.php:152
filterposts_clausesinclude\ACFQuickEdit\Admin\Columns.php:303
filterterms_clausesinclude\ACFQuickEdit\Admin\Columns.php:339
filterusers_pre_queryinclude\ACFQuickEdit\Admin\Columns.php:367
filteracf/location/rule_match/post_categoryinclude\ACFQuickEdit\Admin\CurrentView.php:201
filteracf/location/rule_match/post_taxonomyinclude\ACFQuickEdit\Admin\CurrentView.php:202
filteracf/location/rule_match/post_formatinclude\ACFQuickEdit\Admin\CurrentView.php:203
filteracf/location/rule_match/post_statusinclude\ACFQuickEdit\Admin\CurrentView.php:204
filteracf/location/rule_match/attachmentinclude\ACFQuickEdit\Admin\CurrentView.php:205
filteracf/location/rule_matchinclude\ACFQuickEdit\Admin\CurrentView.php:294
filterquick_edit_show_taxonomyinclude\ACFQuickEdit\Admin\EditFeature.php:100
actionedit_terminclude\ACFQuickEdit\Admin\EditFeature.php:152
actionsave_postinclude\ACFQuickEdit\Admin\EditFeature.php:173
actionadmin_initinclude\ACFQuickEdit\Admin\Feature.php:51
actioncurrent_screeninclude\ACFQuickEdit\Admin\Feature.php:54
filteracf/load_fieldinclude\ACFQuickEdit\Admin\Feature.php:57
actionpre_get_postsinclude\ACFQuickEdit\Admin\Feature.php:89
actionparse_term_queryinclude\ACFQuickEdit\Admin\Feature.php:93
filterpre_get_usersinclude\ACFQuickEdit\Admin\Feature.php:97
filteracf/field_group/additional_group_settings_tabsinclude\ACFQuickEdit\Admin\FieldGroup.php:18
actionacf/field_group/render_group_settings_tab/quickedit_fieldsinclude\ACFQuickEdit\Admin\FieldGroup.php:19
actionrestrict_manage_postsinclude\ACFQuickEdit\Admin\Filters.php:91
actionpre_get_postsinclude\ACFQuickEdit\Admin\Filters.php:92
actionadmin_footerinclude\ACFQuickEdit\Admin\Filters.php:96
actionparse_term_queryinclude\ACFQuickEdit\Admin\Filters.php:97
actionmanage_users_extra_tablenavinclude\ACFQuickEdit\Admin\Filters.php:105
filterpre_get_usersinclude\ACFQuickEdit\Admin\Filters.php:106
actionacf/render_field_group_settingsinclude\ACFQuickEdit\Admin\LegacyFieldGroup.php:22
filteracf/load_field_groupinclude\ACFQuickEdit\Admin\LegacyFieldGroup.php:23
actionacf/render_field/type=column_settinginclude\ACFQuickEdit\Admin\LegacyFieldGroup.php:26
actionacf/render_field/type=edit_settinginclude\ACFQuickEdit\Admin\LegacyFieldGroup.php:28
actionquick_edit_custom_boxinclude\ACFQuickEdit\Admin\Quickedit.php:49
filteracf_quick_edit_post_ajax_actionsinclude\ACFQuickEdit\Compat\Polylang.php:25
filteracf_quick_edit_term_ajax_actionsinclude\ACFQuickEdit\Compat\Polylang.php:26
filteracf_quick_edit_post_id_request_paraminclude\ACFQuickEdit\Compat\Polylang.php:27
actionplugins_loadedinclude\ACFQuickEdit\Core\Core.php:24
filtersafecss_filter_attr_allow_cssinclude\ACFQuickEdit\Core\Core.php:26
actionadmin_initinclude\ACFQuickEdit\Core\Plugin.php:40
actionplugins_loadedinclude\ACFQuickEdit\Core\Plugin.php:42
actionprint_media_templatesinclude\ACFQuickEdit\Fields\LinkField.php:59
Maintenance & Trust

ACF Quick Edit Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 11, 2025
PHP min version5.6
Downloads451K

Community Trust

Rating90/100
Number of ratings42
Active installs30K
Alternatives

ACF Quick Edit Fields Alternatives

Admin Columns for ACF Fields

Admin Columns for ACF Fields

admin-columns-for-acf-fields

A
92

Allows you to enable columns for your ACF fields in post and taxonomy overviews (e.g. "All Posts") in the Wordpress admin backend.

9K No CVEs
ACF Flexible Columns

ACF Flexible Columns

acf-flexible-columns

A
85

Replace the regular single content editor with responsive multiple column editors.

20 No CVEs
Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
93

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 9 CVEs
WP Shortcodes Plugin — Shortcodes Ultimate

WP Shortcodes Plugin — Shortcodes Ultimate

shortcodes-ultimate

A
88

A comprehensive collection of visual components for your site

400K 35 CVEs
ACF Content Analysis for Yoast SEO

ACF Content Analysis for Yoast SEO

acf-content-analysis-for-yoast-seo

A
100

WordPress plugin that adds the content of all ACF fields to the Yoast SEO score analysis.

100K No CVEs
Developer Profile

ACF Quick Edit Fields Developer Profile

podpirate

6 plugins · 51K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
345 days
View full developer profile
Detection Fingerprints

How We Detect ACF Quick Edit Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/acf-quickedit-fields/js/acf-quickedit.js/wp-content/plugins/acf-quickedit-fields/js/acf-columns.js/wp-content/plugins/acf-quickedit-fields/css/acf-quickedit.css
Script Paths
/wp-content/plugins/acf-quickedit-fields/js/acf-quickedit.js/wp-content/plugins/acf-quickedit-fields/js/acf-columns.js
Version Parameters
acf-quickedit-fields/js/acf-quickedit.js?ver=acf-quickedit-fields/js/acf-columns.js?ver=acf-quickedit-fields/css/acf-quickedit.css?ver=

HTML / DOM Fingerprints

CSS Classes
acf-quickedit-active
Data Attributes
data-acf-quickedit-nonce
JS Globals
acf_quickedit_ajax_object
FAQ

Frequently Asked Questions about ACF Quick Edit Fields