CVE-2026-4812

Vulnerability Description

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.

CVSS Score

Related Weaknesses (CWE)

References

• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/inc
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes
• https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes