Does Advanced Custom Fields (ACF®) have any unpatched vulnerabilities?

No. All known vulnerabilities in Advanced Custom Fields (ACF®) have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Advanced Custom Fields (ACF®) compatible with WordPress 6.9.4?

According to WordPress.org data, Advanced Custom Fields (ACF®) 6.7.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Advanced Custom Fields (ACF®) compatible with PHP 7.4+?

Advanced Custom Fields (ACF®) requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Advanced Custom Fields (ACF®) updated?

Advanced Custom Fields (ACF®) was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is Advanced Custom Fields (ACF®)'s security score?

Advanced Custom Fields (ACF®) has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Advanced Custom Fields (ACF®) Security & Risk Analysis

wordpress.org/plugins/advanced-custom-fields

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M active installs v6.7.1 PHP 7.4+ WP 6.2+ Updated Mar 3, 2026

acfcustom-fieldsfieldsmetarepeater

A · Safe

CVEs total9

Unpatched0

Last CVEAug 8, 2025

Plugin page Download

Safety Verdict

Is Advanced Custom Fields (ACF®) Safe to Use in 2026?

Generally Safe

Score 93/100

Advanced Custom Fields (ACF®) has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Aug 8, 2025Updated 1mo ago

Risk Assessment

The Advanced Custom Fields (ACF) plugin exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, several areas raise concerns. The static analysis reveals a significant attack surface with 22 AJAX handlers, 7 of which lack authentication checks. This is a substantial risk, as it presents potential entry points for unauthorized actions. Furthermore, the presence of `unserialize` is a critical red flag, especially when combined with the possibility of unsanitized paths in taint analysis flows, although no critical or high severity flows were explicitly found in this instance.

The vulnerability history for ACF is a significant concern. A total of 9 known CVEs, with a recent one in 2025, and a past high-severity vulnerability indicate a recurring pattern of security weaknesses. The types of past vulnerabilities, including Improper Input Validation, Exposure of Sensitive Information, Missing Authorization, Deserialization of Untrusted Data, XSS, and PHP RFI, suggest that the plugin has been susceptible to a broad range of attacks. While there are currently no unpatched vulnerabilities, the historical prevalence of medium and low-severity issues, alongside a past high-severity one, means that vigilance is paramount. The plugin's strengths lie in its robust SQL handling and output escaping, but the uncovered attack surface and historical vulnerability trends necessitate caution.

Key Concerns

Unprotected AJAX handlers
Presence of unserialize function
Flows with unsanitized paths
Bundled outdated library (Select2 v3.5.2)
1 High severity CVE historically
7 Medium severity CVEs historically
1 Low severity CVE historically

Vulnerabilities

Advanced Custom Fields (ACF®) Security Vulnerabilities

CVEs by Year

1 CVE in 2013

2013

1 CVE in 2018

2018

1 CVE in 2019

2019

1 CVE in 2020

2020

2 CVEs in 2022

2022

2 CVEs in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

Low

9 total CVEs

CVE-2025-54940medium · 4.1Improper Input Validation

Advanced Custom Fields <= 6.4.2. - HTML Injection

Aug 8, 2025 Patched in 6.4.3 (18d)

CVE-2023-40068medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Aug 3, 2023 Patched in 6.1.8 (173d)

CVE-2023-1196high · 8.8Deserialization of Untrusted Data

Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection

Apr 3, 2023 Patched in 5.12.5 (295d)

CVE-2022-40696medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Advanced Custom Fields <= 6.0.2 - Authenticated (Contributor+) Information Disclosure

Oct 18, 2022 Patched in 6.0.3 (462d)

CVE-2022-2594medium · 4.3Missing Authorization

Advanced Custom Fields <= 5.12.2 - File Upload

Jul 14, 2022 Patched in 5.12.3 (558d)

CVE-2020-36172medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced Custom Fields <= 5.8.11 - Cross-Site Scripting

Jun 10, 2020 Patched in 5.8.12 (1322d)

WF-5eab8a5d-8eb8-495f-a953-b468360cc5d5-advanced-custom-fieldsmedium · 5.4Deserialization of Untrusted Data

Advanced Custom Fields <= 5.7.11 - PHP Object Injection

Feb 15, 2019 Patched in 5.7.12 (1803d)

CVE-2018-20986medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting

Dec 7, 2018 Patched in 5.7.8 (1873d)

CVE-2012-10025low · 3.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Advanced Custom Fields <= 3.5.1 - Remote Code Execution via Remote File Inclusion

Jan 3, 2013 Patched in 3.5.2 (4615d)

Code Analysis

Analyzed Mar 16, 2026

Advanced Custom Fields (ACF®) Code Analysis

Dangerous Functions

Raw SQL Queries

24 prepared

Unescaped Output

138

464 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn @unserialize( trim( $data ), array( 'allowed_classes' => false ) ); //phpcs:ignore -- allowedincludes\acf-helper-functions.php:663

Bundled Libraries

Select23.5.2

SQL Query Safety

100% prepared24 total queries

Output Escaping

77% escaped602 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

submit (includes\admin\tools\class-acf-admin-tool-import.php:153)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Advanced Custom Fields (ACF®) Attack Surface

Entry Points23

Unprotected7

AJAX Handlers 22

authwp_ajax_acf/link_field_groupsincludes\admin\admin-internal-post-type.php:47

authwp_ajax_acf/field_group/render_field_settingsincludes\admin\post-types\admin-field-group.php:45

authwp_ajax_acf/field_group/render_location_ruleincludes\admin\post-types\admin-field-group.php:46

authwp_ajax_acf/field_group/move_fieldincludes\admin\post-types\admin-field-group.php:47

authwp_ajax_acf/fields/oembed/searchincludes\fields\class-acf-field-oembed.php:46

noprivwp_ajax_acf/fields/oembed/searchincludes\fields\class-acf-field-oembed.php:47

authwp_ajax_acf/fields/page_link/queryincludes\fields\class-acf-field-page_link.php:45

noprivwp_ajax_acf/fields/page_link/queryincludes\fields\class-acf-field-page_link.php:46

authwp_ajax_acf/fields/post_object/queryincludes\fields\class-acf-field-post_object.php:40

noprivwp_ajax_acf/fields/post_object/queryincludes\fields\class-acf-field-post_object.php:41

authwp_ajax_acf/fields/relationship/queryincludes\fields\class-acf-field-relationship.php:44

noprivwp_ajax_acf/fields/relationship/queryincludes\fields\class-acf-field-relationship.php:45

authwp_ajax_acf/fields/select/queryincludes\fields\class-acf-field-select.php:43

noprivwp_ajax_acf/fields/select/queryincludes\fields\class-acf-field-select.php:44

authwp_ajax_acf/fields/taxonomy/queryincludes\fields\class-acf-field-taxonomy.php:51

noprivwp_ajax_acf/fields/taxonomy/queryincludes\fields\class-acf-field-taxonomy.php:52

authwp_ajax_acf/fields/taxonomy/add_termincludes\fields\class-acf-field-taxonomy.php:53

authwp_ajax_acf/fields/user/queryincludes\fields\class-acf-field-user.php:44

noprivwp_ajax_acf/fields/user/queryincludes\fields\class-acf-field-user.php:45

authwp_ajax_query-attachmentsincludes\media.php:41

authwp_ajax_acf/validate_save_postincludes\validation.php:38

noprivwp_ajax_acf/validate_save_postincludes\validation.php:39

Shortcodes 1

[acf] includes\api\api-template.php:1133

WordPress Hooks 278

actioninitacf.php:306

actioninitacf.php:307

actioninitacf.php:308

actionactivated_pluginacf.php:309

actionpre_current_active_pluginsacf.php:310

filterposts_whereacf.php:313

filterwpml_get_home_urlacf.php:868

filtertrp_home_urlacf.php:869

actionacf/fields/select/query/key=_acf_bidirectional_targetincludes\acf-bidirectional-functions.php:207

actionacf/validate_fieldincludes\acf-field-functions.php:343

filterwp_unique_post_slugincludes\acf-field-functions.php:1115

actionwp_untrash_post_statusincludes\acf-field-functions.php:1280

actionacf/save_postincludes\acf-form-functions.php:180

filterwp_kses_allowed_htmlincludes\acf-input-functions.php:114

actionswitch_blogincludes\acf-utility-functions.php:113

actionacf/get_invalid_field_valueincludes\acf-value-functions.php:406

actioncurrent_screenincludes\admin\admin-internal-post-type-list.php:70

actionadmin_footerincludes\admin\admin-internal-post-type-list.php:71

actiontrashed_postincludes\admin\admin-internal-post-type-list.php:74

actionuntrashed_postincludes\admin\admin-internal-post-type-list.php:75

actiondeleted_postincludes\admin\admin-internal-post-type-list.php:76

actionadmin_enqueue_scriptsincludes\admin\admin-internal-post-type-list.php:159

actionadmin_body_classincludes\admin\admin-internal-post-type-list.php:160

filterdisplay_post_statesincludes\admin\admin-internal-post-type-list.php:164

actionadmin_footerincludes\admin\admin-internal-post-type-list.php:166

filterpage_row_actionsincludes\admin\admin-internal-post-type-list.php:169

actionadmin_footerincludes\admin\admin-internal-post-type-list.php:174

actioncurrent_screenincludes\admin\admin-internal-post-type.php:45

filteruse_block_editor_for_post_typeincludes\admin\admin-internal-post-type.php:48

actionadmin_body_classincludes\admin\admin-internal-post-type.php:93

filterpost_updated_messagesincludes\admin\admin-internal-post-type.php:94

actionacf/input/admin_enqueue_scriptsincludes\admin\admin-internal-post-type.php:95

actionacf/input/admin_headincludes\admin\admin-internal-post-type.php:96

actionacf/input/form_dataincludes\admin\admin-internal-post-type.php:97

actionacf/input/admin_footerincludes\admin\admin-internal-post-type.php:98

filteracf/input/admin_l10nincludes\admin\admin-internal-post-type.php:100

actionadmin_noticesincludes\admin\admin-notices.php:126

actionadmin_menuincludes\admin\admin-options-pages-preview.php:25

actionadmin_body_classincludes\admin\admin-options-pages-preview.php:47

actionadmin_menuincludes\admin\admin-tools.php:48

actionadmin_body_classincludes\admin\admin-tools.php:141

actionadmin_menuincludes\admin\admin-upgrade.php:42

actionnetwork_admin_menuincludes\admin\admin-upgrade.php:44

actionadmin_noticesincludes\admin\admin-upgrade.php:65

actionnetwork_admin_noticesincludes\admin\admin-upgrade.php:95

actionswitch_blogincludes\admin\admin-upgrade.php:152

actionadmin_body_classincludes\admin\admin-upgrade.php:177

actionadmin_body_classincludes\admin\admin-upgrade.php:199

actionadmin_menuincludes\admin\admin.php:26

actionadmin_enqueue_scriptsincludes\admin\admin.php:27

actionadmin_body_classincludes\admin\admin.php:28

actioncurrent_screenincludes\admin\admin.php:29

actionadmin_noticesincludes\admin\admin.php:30

actionadmin_noticesincludes\admin\admin.php:31

actionadmin_initincludes\admin\admin.php:32

actionadmin_initincludes\admin\admin.php:33

filterparent_fileincludes\admin\admin.php:34

filtersubmenu_fileincludes\admin\admin.php:35

actionin_admin_headerincludes\admin\admin.php:112

filteradmin_footer_textincludes\admin\admin.php:113

filterupdate_footerincludes\admin\admin.php:114

actionpost_submitbox_misc_actionsincludes\admin\post-types\admin-field-group.php:183

actionedit_form_after_titleincludes\admin\post-types\admin-field-group.php:184

filterscreen_settingsincludes\admin\post-types\admin-field-group.php:187

filterget_user_option_screen_layout_acf-field-groupincludes\admin\post-types\admin-field-group.php:188

actionadmin_menuincludes\admin\post-types\admin-field-groups.php:46

actionload-edit.phpincludes\admin\post-types\admin-field-groups.php:47

actionpost_classincludes\admin\post-types\admin-field-groups.php:48

actionpost_submitbox_misc_actionsincludes\admin\post-types\admin-post-type.php:162

actionedit_form_after_titleincludes\admin\post-types\admin-post-type.php:163

filterscreen_settingsincludes\admin\post-types\admin-post-type.php:166

filterget_user_option_screen_layout_acf-post-typeincludes\admin\post-types\admin-post-type.php:167

filterget_user_option_metaboxhidden_acf-post-typeincludes\admin\post-types\admin-post-type.php:168

filterget_user_option_closedpostboxes_acf-post-typeincludes\admin\post-types\admin-post-type.php:169

filterget_user_option_closedpostboxes_acf-post-typeincludes\admin\post-types\admin-post-type.php:170

actionadmin_menuincludes\admin\post-types\admin-post-types.php:50

actionadmin_menuincludes\admin\post-types\admin-taxonomies.php:49

actionpost_submitbox_misc_actionsincludes\admin\post-types\admin-taxonomy.php:164

actionedit_form_after_titleincludes\admin\post-types\admin-taxonomy.php:165

filterscreen_settingsincludes\admin\post-types\admin-taxonomy.php:168

filterget_user_option_screen_layout_acf-taxonomyincludes\admin\post-types\admin-taxonomy.php:169

filterget_user_option_metaboxhidden_acf-taxonomyincludes\admin\post-types\admin-taxonomy.php:170

filterget_user_option_closedpostboxes_acf-taxonomyincludes\admin\post-types\admin-taxonomy.php:171

filterget_user_option_closedpostboxes_acf-taxonomyincludes\admin\post-types\admin-taxonomy.php:172

filteruser_search_columnsincludes\ajax\class-acf-ajax-query-users.php:73

filterposts_orderbyincludes\api\api-helpers.php:1320

filteracf/settings/uploaderincludes\api\api-helpers.php:3055

filteracf/settings/enable_meta_box_cb_editincludes\api\api-helpers.php:4029

actionacf/removed_unsafe_htmlincludes\api\api-template.php:189

filteracf/prevent_access_to_unknown_fieldsincludes\api\api-template.php:1075

filterterms_clausesincludes\api\api-term.php:196

actioninitincludes\assets.php:54

actionadmin_enqueue_scriptsincludes\assets.php:189

actionadmin_print_scriptsincludes\assets.php:190

actionadmin_print_footer_scriptsincludes\assets.php:191

actionadmin_footerincludes\assets.php:320

filterwp_unique_post_slugincludes\class-acf-internal-post-type.php:84

actionwp_untrash_post_statusincludes\class-acf-internal-post-type.php:85

filteracf/validate_fieldincludes\compatibility.php:34

filteracf/validate_field/type=textareaincludes\compatibility.php:35

filteracf/validate_field/type=relationshipincludes\compatibility.php:36

filteracf/validate_field/type=post_objectincludes\compatibility.php:37

filteracf/validate_field/type=page_linkincludes\compatibility.php:38

filteracf/validate_field/type=imageincludes\compatibility.php:39

filteracf/validate_field/type=fileincludes\compatibility.php:40

filteracf/validate_field/type=wysiwygincludes\compatibility.php:41

filteracf/validate_field/type=date_pickerincludes\compatibility.php:42

filteracf/validate_field/type=taxonomyincludes\compatibility.php:43

filteracf/validate_field/type=date_time_pickerincludes\compatibility.php:44

filteracf/validate_field/type=userincludes\compatibility.php:45

filteracf/validate_field_groupincludes\compatibility.php:46

filteracf/field_wrapper_attributesincludes\compatibility.php:49

filteracf/location/validate_rule/type=post_taxonomyincludes\compatibility.php:52

filteracf/location/validate_rule/type=post_categoryincludes\compatibility.php:53

actionacf/initincludes\compatibility.php:56

filterget_media_item_argsincludes\fields\class-acf-field-file.php:45

filterget_media_item_argsincludes\fields\class-acf-field-image.php:50

filteracf/conditional_logic/choicesincludes\fields\class-acf-field-page_link.php:47

filteracf/conditional_logic/choicesincludes\fields\class-acf-field-post_object.php:42

filteracf/conditional_logic/choicesincludes\fields\class-acf-field-relationship.php:41

filteracf/conditional_logic/choicesincludes\fields\class-acf-field-taxonomy.php:54

actionacf/save_postincludes\fields\class-acf-field-taxonomy.php:57

filteracf/conditional_logic/choicesincludes\fields\class-acf-field-user.php:41

actionacf/ajax/query_users/initincludes\fields\class-acf-field-user.php:388

filteracf/ajax/query_users/argsincludes\fields\class-acf-field-user.php:389

filteracf/ajax/query_users/resultincludes\fields\class-acf-field-user.php:390

filteracf/ajax/query_users/search_columnsincludes\fields\class-acf-field-user.php:391

actionacf/enqueue_uploaderincludes\fields\class-acf-field-wysiwyg.php:51

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:71

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:73

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:74

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:75

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:76

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:78

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:79

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:83

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:84

filteracf_the_editor_contentincludes\fields\class-acf-field-wysiwyg.php:227

filteracf_the_contentincludes\fields\class-acf-field-wysiwyg.php:407

actionacf/input/admin_enqueue_scriptsincludes\fields\class-acf-field.php:84

actionacf/input/admin_headincludes\fields\class-acf-field.php:85

actionacf/input/form_dataincludes\fields\class-acf-field.php:86

filteracf/input/admin_l10nincludes\fields\class-acf-field.php:87

actionacf/input/admin_footerincludes\fields\class-acf-field.php:88

actionacf/field_group/admin_enqueue_scriptsincludes\fields\class-acf-field.php:91

actionacf/field_group/admin_headincludes\fields\class-acf-field.php:92

actionacf/field_group/admin_footerincludes\fields\class-acf-field.php:93

actionadmin_enqueue_scriptsincludes\forms\form-attachment.php:29

filterattachment_fields_to_editincludes\forms\form-attachment.php:32

filterattachment_fields_to_saveincludes\forms\form-attachment.php:35

actionadmin_footerincludes\forms\form-attachment.php:66

actionadmin_enqueue_scriptsincludes\forms\form-comment.php:30

filtercomment_form_field_commentincludes\forms\form-comment.php:33

actionedit_commentincludes\forms\form-comment.php:38

actioncomment_postincludes\forms\form-comment.php:39

actionadmin_footerincludes\forms\form-comment.php:90

actionadd_meta_boxes_commentincludes\forms\form-comment.php:91

actioncustomize_controls_initincludes\forms\form-customizer.php:50

actioncustomize_preview_initincludes\forms\form-customizer.php:51

actioncustomize_saveincludes\forms\form-customizer.php:52

filterwidget_update_callbackincludes\forms\form-customizer.php:55

actionacf/input/admin_footerincludes\forms\form-customizer.php:80

filteracf/pre_load_valueincludes\forms\form-customizer.php:234

filteracf/pre_load_referenceincludes\forms\form-customizer.php:235

actionacf/validate_save_postincludes\forms\form-front.php:37

filteracf/pre_save_postincludes\forms\form-front.php:38

actionenqueue_block_editor_assetsincludes\forms\form-gutenberg.php:34

actionacf/validate_save_postincludes\forms\form-gutenberg.php:37

actionadd_meta_boxesincludes\forms\form-gutenberg.php:54

actionblock_editor_meta_box_hidden_fieldsincludes\forms\form-gutenberg.php:57

filterfilter_block_editor_meta_boxesincludes\forms\form-gutenberg.php:60

actionadmin_enqueue_scriptsincludes\forms\form-nav-menu.php:33

actionwp_update_nav_menuincludes\forms\form-nav-menu.php:34

actionacf/validate_save_postincludes\forms\form-nav-menu.php:35

actionwp_nav_menu_item_custom_fieldsincludes\forms\form-nav-menu.php:36

filterwp_get_nav_menu_itemsincludes\forms\form-nav-menu.php:39

filterwp_edit_nav_menu_walkerincludes\forms\form-nav-menu.php:40

actionadmin_footerincludes\forms\form-nav-menu.php:66

actionload-post.phpincludes\forms\form-post.php:37

actionload-post-new.phpincludes\forms\form-post.php:38

filterwp_insert_post_empty_contentincludes\forms\form-post.php:41

actionsave_postincludes\forms\form-post.php:42

actionadd_meta_boxesincludes\forms\form-post.php:82

actionedit_form_after_titleincludes\forms\form-post.php:171

actionadmin_enqueue_scriptsincludes\forms\form-taxonomy.php:32

actioncreate_termincludes\forms\form-taxonomy.php:35

actionedit_termincludes\forms\form-taxonomy.php:36

actiondelete_termincludes\forms\form-taxonomy.php:39

actionadmin_footerincludes\forms\form-taxonomy.php:94

actionadmin_enqueue_scriptsincludes\forms\form-user.php:37

actionlogin_form_registerincludes\forms\form-user.php:38

actionshow_user_profileincludes\forms\form-user.php:41

actionedit_user_profileincludes\forms\form-user.php:42

actionuser_new_formincludes\forms\form-user.php:43

actionregister_formincludes\forms\form-user.php:44

actionuser_registerincludes\forms\form-user.php:47

actionprofile_updateincludes\forms\form-user.php:48

filterregistration_errorsincludes\forms\form-user.php:51

filteracf/pre_load_valueincludes\forms\form-user.php:194

actionacf/input/admin_footerincludes\forms\form-user.php:259

actionadmin_enqueue_scriptsincludes\forms\form-widget.php:46

actionin_widget_formincludes\forms\form-widget.php:47

actionacf/validate_save_postincludes\forms\form-widget.php:48

filterwidget_update_callbackincludes\forms\form-widget.php:51

actionacf/input/admin_footerincludes\forms\form-widget.php:80

filteracf/get_cache_keyincludes\l10n.php:156

filteracf/load_field_groupsincludes\local-fields.php:661

filteracf/load_post_typesincludes\local-fields.php:662

filteracf/load_taxonomiesincludes\local-fields.php:663

filteracf/load_ui_options_pagesincludes\local-fields.php:664

filteracf/is_field_keyincludes\local-fields.php:683

filteracf/is_field_group_keyincludes\local-fields.php:716

filteracf/is_post_type_keyincludes\local-fields.php:717

filteracf/is_taxonomy_keyincludes\local-fields.php:718

actionacf/include_fieldsincludes\local-fields.php:743

actionacf/update_field_groupincludes\local-json.php:44

actionacf/untrash_field_groupincludes\local-json.php:45

actionacf/trash_field_groupincludes\local-json.php:46

actionacf/delete_field_groupincludes\local-json.php:47

actionacf/update_post_typeincludes\local-json.php:48

actionacf/untrash_post_typeincludes\local-json.php:49

actionacf/trash_post_typeincludes\local-json.php:50

actionacf/delete_post_typeincludes\local-json.php:51

actionacf/update_taxonomyincludes\local-json.php:52

actionacf/untrash_taxonomyincludes\local-json.php:53

actionacf/trash_taxonomyincludes\local-json.php:54

actionacf/delete_taxonomyincludes\local-json.php:55

actionacf/include_fieldsincludes\local-json.php:58

actionacf/include_post_typesincludes\local-json.php:59

actionacf/include_taxonomiesincludes\local-json.php:60

filteracf/pre_load_post_idincludes\local-meta.php:40

filteracf/pre_load_metaincludes\local-meta.php:41

filteracf/pre_load_metadataincludes\local-meta.php:42

filteracf/pre_update_metadataincludes\local-meta.php:112

actionacf/enqueue_scriptsincludes\media.php:32

actionacf/save_postincludes\media.php:35

filterwp_handle_upload_prefilterincludes\media.php:38

filterimage_size_names_chooseincludes\media.php:130

filterwp_prepare_attachment_for_jsincludes\media.php:182

filterimage_size_names_chooseincludes\media.php:183

filterwp_prepare_attachment_for_jsincludes\media.php:185

filteracf/pre_update_field_groupincludes\post-types\class-acf-field-group.php:81

actionacf/initincludes\post-types\class-acf-post-type.php:84

filterenter_title_hereincludes\post-types\class-acf-post-type.php:85

actionacf/initincludes\post-types\class-acf-taxonomy.php:84

filterrest_pre_dispatchincludes\rest-api\class-acf-rest-api.php:31

actionrest_api_initincludes\rest-api\class-acf-rest-api.php:32

filterrest_prepare_userincludes\rest-api\class-acf-rest-embed-links.php:48

actionwp_restore_post_revisionincludes\revisions.php:29

filter_wp_post_revision_fieldsincludes\revisions.php:30

filter_wp_post_revision_fieldsincludes\revisions.php:31

filteracf/validate_post_idincludes\revisions.php:32

action_wp_put_post_revisionincludes\revisions.php:36

filterwp_save_post_revision_post_has_changedincludes\revisions.php:37

filterwp_post_revision_meta_keysincludes\revisions.php:38

filterwp_save_post_revision_check_for_changesincludes\revisions.php:42

filtertabify_posttypesincludes\third-party.php:27

actiontabify_add_meta_boxesincludes\third-party.php:28

filterpts_allowed_pagesincludes\third-party.php:33

filteracf/get_post_typesincludes\third-party.php:38

actiondoing_dark_modeincludes\third-party.php:43

actionwp_upgradeincludes\upgrades.php:459

actionacf/validate_save_postincludes\validation.php:40

actionacf/verify_ajaxincludes\wpml.php:48

filterget_translatable_documentsincludes\wpml.php:51

actionacf/upgrade_500_field_groupincludes\wpml.php:57

actionicl_make_duplicateincludes\wpml.php:58

filteracf/settings/save_jsonincludes\wpml.php:61

filteracf/settings/load_jsonincludes\wpml.php:62

actionacf/initsrc\Blocks\Bindings.php:30

actiondebug_informationsrc\Site_Health\Site_Health.php:34

actionacf_update_site_health_datasrc\Site_Health\Site_Health.php:35

actionacf/first_activatedsrc\Site_Health\Site_Health.php:42

actionacf/activated_prosrc\Site_Health\Site_Health.php:43

filteracf/pre_update_field_groupsrc\Site_Health\Site_Health.php:44

filteracf/pre_update_post_typesrc\Site_Health\Site_Health.php:45

filteracf/pre_update_taxonomysrc\Site_Health\Site_Health.php:46

filteracf/pre_update_ui_options_pagesrc\Site_Health\Site_Health.php:47

Scheduled Events 1

acf_update_site_health_data

Maintenance & Trust

Advanced Custom Fields (ACF®) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 3, 2026

PHP min version7.4

Downloads67.9M

Community Trust

Rating90/100

Number of ratings1,427

Active installs2.0M

Alternatives

Advanced Custom Fields (ACF®) Alternatives

Advanced Custom Fields: Extended

acf-extended

All-in-one enhancement suite that improves WordPress & Advanced Custom Fields.

100K 4 CVEs

Advanced Custom Fields Repeater & Flexible Content Fields Collapser

advanced-custom-field-repeater-collapser

Easier sorting for large repeated fields in the Advanced Custom Fields plugin.

4K No CVEs

CubeWP Framework

cubewp-framework

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched

Sympl Repeater for ACF and Elementor

acf-repeater-for-elementor

100

Seamlessly integrate ACF Repeater fields with Elementor widgets and sections for dynamic, repeatable content blocks.

1K No CVEs

Ultimate Fields

ultimate-fields

Easy and powerful custom fields management: Post Meta, Options Pages, Repeaters and many field types!

900 No CVEs

Developer Profile

Advanced Custom Fields (ACF®) Developer Profile

WP Engine

16 plugins · 3.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

1006 days

View full developer profile

Detection Fingerprints

How We Detect Advanced Custom Fields (ACF®)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/advanced-custom-fields/assets/css/acf-global.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-admin.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-field-group.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-field.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-settings.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-modal.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-components.css/wp-content/plugins/advanced-custom-fields/assets/css/acf-validation.css+14 more

Script Paths

/wp-content/plugins/advanced-custom-fields/assets/js/acf-input.js/wp-content/plugins/advanced-custom-fields/assets/js/acf-field-group.js/wp-content/plugins/advanced-custom-fields/assets/js/acf-field.js/wp-content/plugins/advanced-custom-fields/assets/js/acf-admin.js/wp-content/plugins/advanced-custom-fields/assets/js/acf-settings.js/wp-content/plugins/advanced-custom-fields/assets/js/acf-modal.js+6 more

Version Parameters

advanced-custom-fields/advanced-custom-fields.php?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-global.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-admin.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-field-group.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-field.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-settings.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-modal.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-components.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-validation.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-blocks.css?ver=/wp-content/plugins/advanced-custom-fields/assets/css/acf-blocks-editor.css?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-input.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-field-group.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-field.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-admin.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-settings.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-modal.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-blocks.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-blocks-editor.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-validation.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-field-group-settings.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-field-group-locations.js?ver=/wp-content/plugins/advanced-custom-fields/assets/js/acf-field-group-rules.js?ver=

HTML / DOM Fingerprints

CSS Classes

acf-fieldacf-field-groupacf-field-settingsacf-fields-wrapperacf-repeateracf-cloneacf-field-wrapacf-label+15 more

HTML Comments

+5 more

Data Attributes

data-field_namedata-field_typedata-field_keydata-field_iddata-field_group_iddata-name+15 more

JS Globals

acfacfLocalJSONacfBlock

REST Endpoints

/wp-json/acf/v1/fields/wp-json/acf/v1/field-groups/wp-json/acf/v1/settings/wp-json/acf/v1/updates/wp-json/acf/v1/blocks/wp-json/acf/v1/options/wp-json/acf/v1/local-json/wp-json/acf/v1/validation

Shortcode Output

[acf field=[acf field="[acf field=][acf]

FAQ

Advanced Custom Fields (ACF®) Security & Risk Analysis

Is Advanced Custom Fields (ACF®) Safe to Use in 2026?

Generally Safe

Key Concerns

Advanced Custom Fields (ACF®) Security Vulnerabilities

CVEs by Year

Severity Breakdown

Advanced Custom Fields (ACF®) Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Advanced Custom Fields (ACF®) Attack Surface

AJAX Handlers 22

Shortcodes 1

Scheduled Events 1

Advanced Custom Fields (ACF®) Maintenance & Trust

Maintenance Signals

Community Trust

Advanced Custom Fields (ACF®) Alternatives

Advanced Custom Fields: Extended

Advanced Custom Fields Repeater & Flexible Content Fields Collapser

CubeWP Framework

Sympl Repeater for ACF and Elementor

Ultimate Fields

Advanced Custom Fields (ACF®) Developer Profile

How We Detect Advanced Custom Fields (ACF®)

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Advanced Custom Fields (ACF®)