Primary

Context

WP Engine Advanced Custom Fields PRO Path Traversal Vulnerability Leading to Local File Inclusion

Vulnerability

A path traversal vulnerability allowing PHP local file inclusion has been identified in the WP Engine Advanced Custom Fields PRO plugin, affecting versions prior to 6.2.10. This vulnerability arises from improper restrictions on pathname navigation, which could be exploited to include and execute local files on the server.

Impact

Exploitation of this vulnerability could lead to local file inclusion, allowing attackers to access and execute files on the server. This could include sensitive files such as those containing database credentials, potentially leading to a complete takeover of the database, depending on the server's configuration.

Remediation

Users of the Advanced Custom Fields PRO plugin should update to version 6.2.10 or later. Patchstack users can enable auto-updates for vulnerable plugins.

Added: May 15, 2026, 9:32 AM

Updated: May 15, 2026, 9:32 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP Engine Advanced Custom Fields PRO Path Traversal Vulnerability Leading to Local File Inclusion

Vulnerability

Impact

Remediation

Affected Products

WPENGINE INC Advanced Custom Fields PRO

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating