CVE-2025-12067
Stored XSS in ACF/SCF Table Field Add-on Allows Script Injection
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advanced_custom_fields | table_field | to 1.3.30 (inc) |
| advanced_custom_fields | table_field | 1.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Table Field Add-on for the Advanced Custom Fields (ACF) and SCF WordPress plugin. It affects all versions up to and including 1.3.30. Authenticated users with Author-level access or higher can inject malicious scripts into table cell content because the plugin does not properly sanitize or escape input and output. These scripts then execute whenever any user views the infected page. [2]
How can this vulnerability impact me? :
The vulnerability allows attackers with Author-level access to inject malicious scripts into table cells, which execute when other users view the affected pages. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or spreading malware. Since the attack is stored, it can affect multiple users and persist until the vulnerability is fixed. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying injected malicious scripts in the table cell content of the Advanced Custom Fields Table Field plugin. Since the vulnerability allows authenticated users with Author-level access or higher to inject scripts, you can audit the database entries for the plugin's table fields for suspicious or unexpected HTML or JavaScript code. There are no specific commands provided in the resources, but general approaches include querying the WordPress database for table cell content containing script tags or suspicious HTML. For example, using SQL commands to search for '<script>' tags in the relevant post meta fields or using WordPress CLI commands to export and inspect field content. Additionally, monitoring web traffic for reflected or stored XSS payloads in pages using the plugin might help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Advanced Custom Fields Table Field plugin to a version that includes the fix for CVE-2025-12067. The fix sanitizes table data during the update_field() function by applying the WordPress wp_kses() function with the 'post' context to all relevant table data fields, preventing malicious script injection. If updating is not immediately possible, restrict Author-level and higher user permissions to trusted users only, and audit existing table content for malicious scripts. Applying the patch from changeset 3386339 or upgrading to a version including this patch will mitigate the vulnerability. [2]