CVE-2024-49593: 
WordPress vulnerability analysis and mitigation

In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), a stored Cross-Site Scripting (XSS) vulnerability was discovered. The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts through the Field Group editor when editing plugin fields. This vulnerability primarily affects multi-site installations and installations where unfiltered_html has been disabled (WPScan, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability stems from insufficient input sanitization and output escaping in the Field Group editor, specifically when handling ACF field labels. This security flaw allows for the execution of stored XSS payloads when editing plugin fields (NVD, WPScan).

The vulnerability enables authenticated attackers with administrator-level access to inject malicious web scripts that will execute whenever a user accesses an affected page. The impact is primarily limited to multi-site installations and installations where unfiltered_html has been disabled (WPScan).

Users are advised to update to Advanced Custom Fields version 6.3.9 or Secure Custom Fields version 6.3.6.3 or later to address this vulnerability. For users of the free version of ACF, an alternative update mechanism is available through WP Engine (ACF Blog).