Does WPGraphQL for ACF have any unpatched vulnerabilities?

No. All known vulnerabilities in WPGraphQL for ACF have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPGraphQL for ACF compatible with WordPress 6.5.8?

According to WordPress.org data, WPGraphQL for ACF 2.5.1 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

Is WPGraphQL for ACF compatible with PHP 7.3+?

WPGraphQL for ACF requires PHP 7.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPGraphQL for ACF updated?

WPGraphQL for ACF was last updated on Mar 5, 2026. Frequent updates are generally a positive security signal.

What is WPGraphQL for ACF's security score?

WPGraphQL for ACF has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPGraphQL for ACF Security & Risk Analysis

wordpress.org/plugins/wpgraphql-acf

WPGraphQL for ACF seamlessly integrates Advanced Custom Fields with WPGraphQL.

10K active installs v2.5.1 PHP 7.3+ WP 5.9+ Updated Mar 5, 2026

acfapigraphqlheadlessnextjs

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WPGraphQL for ACF Safe to Use in 2026?

Generally Safe

Score 100/100

WPGraphQL for ACF has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 29d ago

Risk Assessment

The wpgraphql-acf plugin version 2.5.1 exhibits a strong security posture based on the provided static analysis and vulnerability history. The plugin demonstrates excellent security practices by not utilizing dangerous functions, all SQL queries are properly prepared, and a very high percentage of output is correctly escaped. Furthermore, the presence of nonce and capability checks, coupled with the absence of file operations and external HTTP requests, significantly reduces the potential attack surface. The lack of any reported CVEs, past or present, is a very positive indicator of the plugin's ongoing security maintenance.

While the static analysis reveals a single AJAX handler, it is noted as protected, and there are no unauthenticated entry points. The taint analysis shows no identified flows, indicating a lack of exploitable vulnerabilities stemming from unsanitized data. The plugin's vulnerability history is clean, with no recorded CVEs across any severity levels, reinforcing the impression of a well-maintained and secure codebase. The overall assessment points to a plugin with minimal security risks, well-implemented security controls, and a history of responsible development.

Vulnerabilities

None known

WPGraphQL for ACF Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WPGraphQL for ACF Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

40 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

95% escaped42 total outputs

Attack Surface

WPGraphQL for ACF Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_get_acf_field_group_graphql_typessrc\Admin\Settings.php:93

WordPress Hooks 51

actionwpgraphql/acf/register_field_typesaccess-functions.php:8

filtermanage_acf-ui-options-page_posts_columnssrc\Admin\OptionsPageRegistration.php:16

actionmanage_acf-ui-options-page_posts_custom_columnsrc\Admin\OptionsPageRegistration.php:19

filteracf/ui_options_page/registration_argssrc\Admin\OptionsPageRegistration.php:22

filteracf/ui_options_page/additional_settings_tabssrc\Admin\OptionsPageRegistration.php:25

actionacf/ui_options_page/render_settings_tab/graphqlsrc\Admin\OptionsPageRegistration.php:28

filteracf_get_options_pagessrc\Admin\OptionsPageRegistration.php:31

filtermanage_acf-post-type_posts_columnssrc\Admin\PostTypeRegistration.php:20

actionmanage_acf-post-type_posts_custom_columnsrc\Admin\PostTypeRegistration.php:23

filteracf/post_type/registration_argssrc\Admin\PostTypeRegistration.php:26

filteracf/post_type_argssrc\Admin\PostTypeRegistration.php:30

filteracf/post_type/additional_settings_tabssrc\Admin\PostTypeRegistration.php:33

actionacf/post_type/render_settings_tab/graphqlsrc\Admin\PostTypeRegistration.php:36

actionadmin_enqueue_scriptssrc\Admin\PostTypeRegistration.php:39

filteracf/field_group/additional_field_settings_tabssrc\Admin\Settings.php:55

actionadmin_enqueue_scriptssrc\Admin\Settings.php:69

actionadd_meta_boxessrc\Admin\Settings.php:75

actionacf/field_group/render_group_settings_tab/graphqlsrc\Admin\Settings.php:77

filteracf/field_group/additional_group_settings_tabssrc\Admin\Settings.php:78

filtermanage_acf-field-group_posts_columnssrc\Admin\Settings.php:95

actionmanage_acf-field-group_posts_custom_columnsrc\Admin\Settings.php:97

actionacf/render_field_settingssrc\Admin\Settings.php:111

filtermanage_acf-taxonomy_posts_columnssrc\Admin\TaxonomyRegistration.php:20

actionmanage_acf-taxonomy_posts_custom_columnsrc\Admin\TaxonomyRegistration.php:23

filteracf/taxonomy/registration_argssrc\Admin\TaxonomyRegistration.php:26

filteracf/taxonomy_argssrc\Admin\TaxonomyRegistration.php:30

filteracf/taxonomy/additional_settings_tabssrc\Admin\TaxonomyRegistration.php:33

actionacf/taxonomy/render_settings_tab/graphqlsrc\Admin\TaxonomyRegistration.php:36

actionadmin_enqueue_scriptssrc\Admin\TaxonomyRegistration.php:39

filterwpgraphql/acf/should_field_group_show_in_graphqlsrc\ThirdParty\AcfExtended\AcfExtended.php:33

actiongraphql_register_typessrc\ThirdParty\AcfExtended\AcfExtended.php:34

actionwpgraphql/acf/registry_initsrc\ThirdParty\AcfExtended\AcfExtended.php:35

filterwpgraphql/acf/get_all_possible_types/interfacessrc\ThirdParty\WPGraphQLContentBlocks\WPGraphQLContentBlocks.php:20

filterwpgraphql_content_blocks_should_apply_post_type_editor_blocks_interfacessrc\ThirdParty\WPGraphQLContentBlocks\WPGraphQLContentBlocks.php:24

actionwpgraphql/acf/type_registry/initsrc\ThirdParty\WPGraphQLContentBlocks\WPGraphQLContentBlocks.php:27

actiongraphql_cache_invalidation_initsrc\ThirdParty\WPGraphQLSmartCache\WPGraphQLSmartCache.php:22

actionupdated_optionsrc\ThirdParty\WPGraphQLSmartCache\WPGraphQLSmartCache.php:34

actionadmin_initsrc\WPGraphQLAcf.php:36

actiongraphql_initsrc\WPGraphQLAcf.php:37

actionwpgraphql/acf/initsrc\WPGraphQLAcf.php:41

actionadmin_initsrc\WPGraphQLAcf.php:42

actioninitsrc\WPGraphQLAcf.php:46

actiongraphql_register_typessrc\WPGraphQLAcf.php:47

filtergraphql_resolve_revision_meta_from_parentsrc\WPGraphQLAcf.php:49

filtergraphql_data_loader_classessrc\WPGraphQLAcf.php:51

filtergraphql_resolve_node_typesrc\WPGraphQLAcf.php:52

filtergraphql_resolve_fieldsrc\WPGraphQLAcf.php:57

actioninitsrc\WPGraphQLAcf.php:60

actionadmin_noticessrc\WPGraphQLAcf.php:277

actionplugins_loadedwpgraphql-acf.php:56

actioninitwpgraphql-acf.php:72

Maintenance & Trust

WPGraphQL for ACF Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedMar 5, 2026

PHP min version7.3

Downloads85K

Community Trust

Rating100/100

Number of ratings1

Active installs10K

Alternatives

WPGraphQL for ACF Alternatives

WPGraphQL

wp-graphql

WPGraphQL adds a flexible and powerful GraphQL API to WordPress, enabling efficient querying and interaction with your site's data.

30K 6 CVEs

WPGraphQL Blocks

wpgraphql-blocks

Get gutenberg blocks as JSON through wp-graphql

400 No CVEs

Gato GraphQL

gatographql

100

Powerful and flexible GraphQL server for WordPress. Access any piece of data (posts, users, comments, tags, etc) from your app via a GraphQL API.

80 No CVEs

Atlasly Content Manager

atlasly-content-manager

100

Schema-driven content types, entries, REST API, GraphQL, and form capture for modern WordPress projects.

0 No CVEs

Metronyx Headless CMS Connector

metronyx-headless-cms-connector

100

Transform your WordPress site into a powerful headless CMS for modern frontend frameworks like Next.js, React, Vue, and more.

0 No CVEs

Developer Profile

WPGraphQL for ACF Developer Profile

Jason Bahl

3 plugins · 46K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1152 days

View full developer profile

Detection Fingerprints

How We Detect WPGraphQL for ACF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpgraphql-acf/acf-graphql.php/wp-content/plugins/wpgraphql-acf/src/Admin/PostTypeRegistration.php/wp-content/plugins/wpgraphql-acf/src/TaxonomyRegistration.php/wp-content/plugins/wpgraphql-acf/src/FieldResolver.php/wp-content/plugins/wpgraphql-acf/src/WPGraphQLAcf.php

Script Paths

/wp-content/plugins/wpgraphql-acf/assets/js/admin/graphql_settings.js

Version Parameters

wpgraphql-acf/acf-graphql.php?ver=wpgraphql-acf/src/Admin/PostTypeRegistration.php?ver=wpgraphql-acf/src/TaxonomyRegistration.php?ver=wpgraphql-acf/src/FieldResolver.php?ver=wpgraphql-acf/src/WPGraphQLAcf.php?ver=

HTML / DOM Fingerprints

CSS Classes

acf-field-wrap

Data Attributes

data-field_name="show_in_graphql"data-field_name="graphql_single_name"data-field_name="graphql_plural_name"

JS Globals

acf

FAQ