Security Alert Summary
The Advanced Custom Fields (ACF) plugin for WordPress has a missing authorization vulnerability that can allow unauthenticated attackers with access to a frontend ACF form to query AJAX field endpoints and enumerate information about draft or private posts, restricted post types, and other data that field configuration is intended to restrict.
CVE Details
- CVE ID: CVE-2026-4812
- Affected component: The Advanced Custom Fields (ACF) plugin for WordPress
- Affected versions: Versions up to and including 6.7.0
- Published: April 15, 2026 at 4:17:48 AM UTC
- Last modified: April 15, 2026 at 4:17:48 AM UTC
- CVSS v3.1: Base score 5.3, Medium — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Attack vector / complexity: NETWORK / LOW
- Authentication & privileges: No authentication required (unauthenticated); Privileges required: NONE; User interaction: NONE
- Scope: UNCHANGED
- Primary impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- Weakness (CWE): CWE-862 (Missing Authorization)
Technical Details
The vulnerability is a missing authorization check in ACF’s AJAX field query endpoints. These endpoints accept user-supplied filter parameters that can override field-configured restrictions. Because authorization is not properly enforced, an attacker who can submit or trigger a frontend ACF form can query those endpoints and receive information about posts and other objects that should be hidden by field configuration.
References in the disclosure point to ACF field handler files such as class-acf-field-page_link.php, class-acf-field-post_object.php, class-acf-field-relationship.php, and class-acf-field-user.php, indicating the issue is tied to field-level query logic used by AJAX endpoints. The core issue is that user-supplied filters are able to bypass or override configured restrictions without proper authorization checks.
Impact is limited to unauthorized disclosure of information controlled by ACF field configuration. The vulnerability does not indicate modification or deletion of data; the CVSS vector reflects a confidentiality impact only (LOW).
How This Could Impact Your Website
On a typical site, a site owner may publish content and use ACF to build front-end forms for contributors or external contractors. If an attacker can access or submit such a frontend ACF form, they may be able to enumerate non-public items—such as draft or private post titles, slugs, or other metadata exposed via ACF fields—that should be restricted. This can increase the risk of targeted phishing or social engineering against staff or contributors who have access to non-public content. In some setups, user-related metadata stored in fields could also be exposed if it is retrievable through the affected endpoints.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other non-editor roles.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes to reduce attack surface.
- Monitor site activity and logs for unusual behavior or unexpected access to ACF endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187
- https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve
