Does Advanced Forms for ACF have any unpatched vulnerabilities?

No. All known vulnerabilities in Advanced Forms for ACF have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Advanced Forms for ACF compatible with WordPress 6.9.4?

According to WordPress.org data, Advanced Forms for ACF 1.9.3.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Advanced Forms for ACF compatible with PHP 7.1+?

Advanced Forms for ACF requires PHP 7.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Advanced Forms for ACF updated?

Advanced Forms for ACF was last updated on Mar 4, 2026. Frequent updates are generally a positive security signal.

What is Advanced Forms for ACF's security score?

Advanced Forms for ACF has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Advanced Forms for ACF Security & Risk Analysis

wordpress.org/plugins/advanced-forms

Flexible and developer-friendly forms using the power of Advanced Custom Fields

3K active installs v1.9.3.7 PHP 7.1+ WP 5.4.0+ Updated Mar 4, 2026

acfacf-formadvanced-custom-fieldscontact-formform

A · Safe

CVEs total2

Unpatched0

Last CVEFeb 5, 2024

Plugin page Download

Safety Verdict

Is Advanced Forms for ACF Safe to Use in 2026?

Generally Safe

Score 99/100

Advanced Forms for ACF has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Feb 5, 2024Updated 1mo ago

Risk Assessment

The "advanced-forms" plugin v1.9.3.7 presents a concerning security posture. While it has no currently unpatched CVEs, its vulnerability history reveals a pattern of critical security flaws, specifically Missing Authorization and Authorization Bypass Through User-Controlled Key. This suggests a recurring weakness in how the plugin handles user permissions and access control.

The static analysis highlights significant security risks. A substantial portion of the attack surface, specifically 3 out of 4 entry points (all AJAX handlers), lacks proper authentication checks. This makes these handlers vulnerable to unauthorized access and potential exploitation. Furthermore, the plugin exhibits poor output escaping practices, with only 12% of outputs being properly escaped, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of unsanitized paths in taint analysis flows, even without critical or high severity identified, warrants caution as it indicates potential for path traversal or other file-related attacks.

While the plugin does have some security measures in place, such as nonce and capability checks, their limited application across the attack surface is a major concern. The complete absence of prepared statements for its single SQL query is another critical weakness, leaving it susceptible to SQL injection attacks. The history of serious vulnerabilities, combined with the identified weaknesses in authentication, output escaping, and data sanitization, indicates that this plugin requires immediate attention to mitigate potential risks.

Key Concerns

Unprotected AJAX handlers
Raw SQL query without prepared statements
Low percentage of properly escaped output
Unsanitized paths in taint flows
Previous high severity vulnerabilities
Previous medium severity vulnerabilities
Limited capability checks across entry points

Vulnerabilities

Advanced Forms for ACF Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-1121medium · 5.3Missing Authorization

Advanced Forms for ACF <= 1.9.3.2 - Missing Authorization to Unauthenticated Form Settings Export

Feb 5, 2024 Patched in 1.9.3.3 (1d)

CVE-2021-24892high · 8.8Authorization Bypass Through User-Controlled Key

Advanced Forms for ACF <= 1.6.8 - Insecure Direct Object Reference

Jun 27, 2020 Patched in 1.6.9 (1305d)

Code Analysis

Analyzed Mar 16, 2026

Advanced Forms for ACF Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

12% escaped75 total outputs

Data Flows

5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths

export_page (admin\forms\forms-export.php:36)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Advanced Forms for ACF Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_af_gutenberg_get_form_datacore\core-gutenberg.php:12

authwp_ajax_af_submissioncore\forms\forms-submissions.php:19

noprivwp_ajax_af_submissioncore\forms\forms-submissions.php:20

Shortcodes 1

[advanced_form] core\forms\forms-rendering.php:12

WordPress Hooks 80

actionacf/render_field_settingsacf\acf-additions.php:14

actionacf/prepare_fieldacf\acf-additions.php:15

filteracf/location/rule_typesacf\acf-additions.php:17

filteracf/location/rule_values/af_formacf\acf-additions.php:18

filteracf/location/rule_match/af_formacf\acf-additions.php:19

filteracf/field_wrapper_attributesacf\fields\af-render-content-field.php:74

actionacf/render_field/type=textadmin\admin-emails.php:7

filteracf/load_field/name=recipient_fieldadmin\admin-emails.php:9

filteraf/form/settings_fieldsadmin\admin-emails.php:10

actionacf/initadmin\admin-entries.php:9

actionmanage_af_entry_posts_custom_columnadmin\admin-entries.php:11

actionrestrict_manage_postsadmin\admin-entries.php:13

actionpre_get_postsadmin\admin-entries.php:14

filteracf/prepare_field/name=entry_formadmin\admin-entries.php:18

filteracf/prepare_field/name=entry_submission_infoadmin\admin-entries.php:19

filteracf/prepare_field/name=form_create_entriesadmin\admin-entries.php:21

filtermanage_af_entry_posts_columnsadmin\admin-entries.php:23

filteraf/form/settings_fieldsadmin\admin-entries.php:25

actionadmin_initadmin\admin-forms.php:12

actionedit_form_after_titleadmin\admin-forms.php:13

filteracf/prepare_field/name=form_shortcode_messageadmin\admin-forms.php:14

actionsave_postadmin\admin-forms.php:15

filteradd_post_metadataadmin\admin-forms.php:16

actionacf/initadmin\admin-forms.php:17

actionmedia_buttonsadmin\admin-forms.php:18

actionadmin_footeradmin\admin-forms.php:19

actionpost_submitbox_startadmin\admin-forms.php:21

filtermanage_af_form_posts_columnsadmin\admin-forms.php:23

actionmanage_af_form_posts_custom_columnadmin\admin-forms.php:24

filterdisable_months_dropdownadmin\admin-forms.php:25

filteraf/form/settings_fieldsadmin\admin-restrictions.php:8

actionadmin_menuadmin\forms\forms-export.php:8

actionadmin_initadmin\forms\forms-export.php:9

actionaf/admin/form/actionsadmin\forms\forms-export.php:10

filteradmin_titleadmin\forms\forms-export.php:11

actionadmin_menuadmin\forms\forms-import.php:5

actionadmin_initadmin\forms\forms-import.php:6

filteradmin_titleadmin\forms\forms-import.php:7

actionadmin_menuadmin\forms\forms-preview.php:6

actionaf/admin/form/actionsadmin\forms\forms-preview.php:7

filteradmin_titleadmin\forms\forms-preview.php:8

actionadmin_enqueue_scriptsadmin\forms\forms-preview.php:9

filteraf/form/button_attributesadmin\forms\forms-preview.php:11

filteraf/form/previous_button_attsadmin\forms\forms-preview.php:12

filteraf/form/next_button_attsadmin\forms\forms-preview.php:13

actionplugins_loadedadvanced-forms.php:61

actionacf/initadvanced-forms.php:62

actionadmin_noticesadvanced-forms.php:63

actionadmin_enqueue_scriptsadvanced-forms.php:134

actionadmin_enqueue_scriptsadvanced-forms.php:135

actioninitadvanced-forms.php:139

actionaf/form/submissioncore\core-emails.php:7

actionaf/emails/send_form_emailcore\core-emails.php:8

filteraf/form/valid_formcore\core-emails.php:10

filteraf/form/from_postcore\core-emails.php:11

actionaf/form/to_postcore\core-emails.php:12

actionaf/form/submissioncore\core-entries.php:10

actionsave_postcore\core-entries.php:11

actionaf/merge_tags/customcore\core-entries.php:13

actionaf/merge_tags/resolvecore\core-entries.php:14

actionsave_postcore\core-entries.php:97

actionacf/initcore\core-gutenberg.php:5

filteracf/load_field/name=af_block_formcore\core-gutenberg.php:6

filteracf/load_field/name=af_block_exclude_fieldscore\core-gutenberg.php:7

actionacf/initcore\core-gutenberg.php:9

filteraf/form/gutenberg/fieldscore\core-gutenberg.php:10

filteraf/merge_tags/resolvecore\core-merge-tags.php:6

filteraf/merge_tags/resolvecore\core-merge-tags.php:7

filteraf/merge_tags/resolvecore\core-merge-tags.php:8

actioninitcore\core-migrations.php:9

filteraf/form/restrictioncore\core-restrictions.php:11

filteraf/form/restrictioncore\core-restrictions.php:12

filteraf/form/restrictioncore\core-restrictions.php:13

filteraf/form/valid_formcore\core-restrictions.php:15

filteraf/form/from_postcore\core-restrictions.php:16

actionaf/form/to_postcore\core-restrictions.php:17

actionaf/form/rendercore\forms\forms-rendering.php:13

actioninitcore\forms\forms-submissions.php:21

actionacf/validate_save_postcore\forms\forms-submissions.php:22

filteracf/upload_prefiltercore\forms\forms-submissions.php:23

Maintenance & Trust

Advanced Forms for ACF Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 4, 2026

PHP min version7.1

Downloads105K

Community Trust

Rating100/100

Number of ratings41

Active installs3K

Alternatives

Advanced Forms for ACF Alternatives

ACF Field For CF7

acf-field-for-contact-form-7

100

Adds a 'Contact Form 7' field type for the Advanced Custom Fields WordPress plugin.

10K No CVEs

Advanced Custom Fields – Contact Form 7 Field

advanced-custom-fields-contact-form-7-field

Adds a 'Contact Form 7' field type for the Advanced Custom Fields WordPress plugin.

2K No CVEs

Advanced Custom Fields Contact Form 7

acf-contact-form-7

Adds a new 'Contact Form 7' field to the popular Advanced Custom Fields plugin.

800 No CVEs

Advanced Custom Fields: Gravity Forms Add-on

acf-gravityforms-add-on

100

Provides an Advanced Custom Field which allows a WordPress user to select a Gravity Form as part of a field group configuration.

30K No CVEs

ACF Feeds for Gravity Forms

acf-feeds-for-gravity-forms

Write Gravity Forms submission fields into ACF fields. Accumulate values over time.

100 No CVEs

Developer Profile

Advanced Forms for ACF Developer Profile

Phil Kurth

2 plugins · 3K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

653 days

View full developer profile

Detection Fingerprints

How We Detect Advanced Forms for ACF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/advanced-forms/assets/dist/css/admin.css/wp-content/plugins/advanced-forms/assets/dist/js/admin.js

Script Paths

/wp-content/plugins/advanced-forms/assets/dist/js/admin.js

Version Parameters

advanced-forms/assets/dist/css/admin.css?ver=advanced-forms/assets/dist/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

af-admin-wrapacf-field-af-form-fieldsacf-field-af-form-settingsacf-field-af-form-submissionsacf-field-af-form-emailsacf-field-af-form-entries

HTML Comments

Data Attributes

data-af-form-iddata-af-submission-id

JS Globals

advancedFormsAdminAFAdmin

REST Endpoints

/wp-json/advanced-forms/v1/submissions/wp-json/advanced-forms/v1/entries/wp-json/advanced-forms/v1/forms

FAQ