Duc Luong Tran

**Name of the Vulnerable Software and Affected Versions** Advanced Custom Fields (ACF) versions prior to 6.3.9 Secure Custom Fields versions prior to 6.3.6.3 **Description** The issue allows for the execution of a stored XSS payload when using the Field Group editor to edit one of the plugin's fields in Advanced Custom Fields (ACF) and Secure Custom Fields for WordPress. **Recommendations** For Advanced Custom Fields (ACF) versions prior to 6.3.9, update to version 6.3.9 or later. For Secure Custom Fields versions prior to 6.3.6.3, update to version 6.3.6.3 or later. As a temporary workaround, consider restricting access to the Field Group editor until a patch is applied.