PLUGIN SECURITY
Is Acf Extended safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Acf Extended WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
acf-extended - Requires PHP: 5.6+
- Max supported PHP (analyzed): <8.0
Known vulnerabilities
- Advanced Custom Fields: Extended [acf-extended] < 0.8.8.7 [CVE-2021-24865, WordPress Advanced Custom Fields: Extended plugin <= 0.8.8.6 - SQL Injection (SQLi) vulnerability, Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection, Advanced Custom Fields: Extended <= 0.8.8.6 - Admin+ SQL Injection]
- Advanced Custom Fields: Extended [acf-extended] < 0.8.9.4 [CVE-2023-5292, Advanced Custom Fields: Extended <= 0.8.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode, WordPress Advanced Custom Fields: Extended Plugin <= 0.8.9.3 is vulnerable to Cross Site Scripting (XSS), Advanced Custom Fields: Extended < 0.8.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]
- Advanced Custom Fields: Extended [acf-extended] < 0.9.2 [CVE-2025-13486, Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form]
- Advanced Custom Fields: Extended [acf-extended] < 0.9.2.2 [CVE-2025-14533, Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action]
- Advanced Custom Fields: Extended [acf-extended] < 0.9.2.4 [CVE-2025-15463, WordPress ACF Extended Plugin <= 0.9.2.3 is vulnerable to a medium priority Content Injection, Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution, EUVD-2025-209809]
+ 1 more known vulnerability
- Advanced Custom Fields: Extended [acf-extended] < 0.9.2.6 [CVE-2026-8809, Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Advanced Custom Fields (ACF®) — 2000000+ active installs — max PHP 8.4
- Meta Box — 500000+ active installs — max PHP 8.4
- Checkout Field Editor (Checkout Manager) for WooCommerce — 400000+ active installs — max PHP 8.4
- ACF Content Analysis for Yoast SEO — 100000+ active installs — max PHP 8.4
- Admin Columns — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.