{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4812", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T13:02:36.082Z", "datePublished": "2026-04-15T01:25:17.540Z", "dateUpdated": "2026-04-15T01:25:17.540Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T01:25:17.540Z"}, "affected": [{"vendor": "wpengine", "product": "Advanced Custom Fields (ACF\u00ae)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration."}], "title": "Advanced Custom Fields (ACF\u00ae) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Fernando Mecozzi"}], "timeline": [{"time": "2026-04-14T12:58:08.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.7.0]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Advanced Custom Fields (ACF\u00ae)", "source": "cna", "vendor": "wpengine"}, "product": "advanced_custom_fields", "vendor": "wpengine"}], "analysis": {"en": {"generated_at": "2026-04-15T02:21:11.160947+00:00", "value": {"mitigation_remediation": ["Upgrade the ACF plugin to the latest version (6.7.1 or newer) whenever it becomes available to remove the missing authorization checks.", "If an immediate upgrade is not possible, restrict all front\u2011end ACF form access behind authentication or move the forms to a private area, ensuring that only authorized users can trigger AJAX queries.", "Review and modify field configurations to disable or limit the use of AJAX\u2011based select fields (page_link, post_object, relationship, user) and remove any custom query parameters that override default restrictions."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure of Sensitive Posts and Pages"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Advanced Custom Fields (ACF\u00ae) plugin version 6.7.0 or earlier, distributed by wpengine. The vulnerability affects all field types that expose AJAX query parameters such as page_link, post_object, relationship, and user.", "description_and_impact": "The Advanced Custom Fields (ACF) plugin allows AJAX field query endpoints to accept user-supplied parameters that bypass the field\u2019s configured access restrictions, resulting in arbitrary disclosure of draft or private posts, restricted post types, and other protected data. This missing authorization flaw is classified as CWE\u2011862 and enables attackers to gather information that should be inaccessible to unauthenticated users.", "risk_and_exploitability": "With a CVSS score of 5.3, the flaw presents a moderate severity risk. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog, indicating that large-scale exploitation has not yet been observed. The likely attack path is an unauthenticated attacker targeting a publicly accessible front\u2011end ACF form, sending crafted AJAX requests to enumerate drafts and private content. Because no exploitation checks silently succeed, the vulnerability can be exercised without elevated privileges or prior user authentication."}}}}, "created": "2026-04-15T13:48:23.607848+00:00", "updated": "2026-04-15T13:49:14.871591+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpengine", "wpengine$PRODUCT$advanced_custom_fields"]}