CVE-2026-4812

EUVD-2026-22828

15.04.2026, 04:17

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435

https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve