Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in February 2023, and patched by ACF developers in version 6.1.6 in April.

Patchstack published a security bulletin and Muhammad described the vulnerability as follows:

This vulnerability allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. 

The vulnerability was given a high severity CVSS score of 3.1. Muhammad outlined a proof of concept in the security bulletin. At this time, the vulnerability is not known to have been exploited. ACF free and ACF Pro users should update to the latest 6.1.6 version of the plugin as soon as possible.