Description
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2080)
Jenkins Missing Authorization Vulnerability (CVE-2025-67636)
WordPress Plugin Feedweb Unspecified Vulnerability (3.0.10)
SharePoint CVE-2024-21318 Vulnerability (CVE-2024-21318)
SharePoint Out-of-bounds Write Vulnerability (CVE-2014-1761)