CVE-2026-4066 - Vulnerability Details

- Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search

Description

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.

Published: 2026-03-23

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Smart Custom Fields plugin for WordPress contains a missing capability check in the relational_posts_search() function. As a result, authenticated users with Contributor-level access or higher can trigger the smart-cf-relational-posts-search AJAX action and retrieve full WP_Post objects, including post_content, for posts with post_status=any. This allows such users to read private and draft content belonging to other authors, thereby exposing sensitive information that should be restricted.

Affected Systems

The vulnerability affects the inc2734 Smart Custom Fields plugin, versions up to and including 5.0.6, which is distributed as a WordPress plugin. Any WordPress installation that has this plugin activated at these or earlier versions is susceptible until the functionality is updated or removed.

Risk and Exploitability

With a CVSS score of 4.3 the issue is considered moderate but still measurable; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticated access with Contributor or higher privileges and send a request to the AJAX endpoint; no special local conditions or exploits are required. The impact is limited to confidentiality loss of unpublished post content; however, if an attacker gains broader privileges the exposure could be significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

inc2734

Smart Custom Fields

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.0.6

No data.

Vendor Product Confidence Versions

Inc2734

Smart Custom Fields

100%

Version	Status	Scheme	Platform
`[0,5.0.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Smart Custom Fields plugin to the latest available version that fixes the missing capability check.
If an update is not immediately possible, disable the plugin or the relational posts search feature to prevent the AJAX endpoint from being accessible to Contributors.
Verify that WordPress user roles are correctly configured so that only administrators can read private posts.

Generated by OpenCVE AI on March 24, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101
https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143
https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve

History

Tue, 24 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Inc2734 Inc2734 smart Custom Fields Wordpress Wordpress wordpress
Vendors & Products		Inc2734 Inc2734 smart Custom Fields Wordpress Wordpress wordpress

Tue, 24 Mar 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.
Title		Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101 https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143 https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2 https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Inc2734 Smart Custom Fields

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-23T22:25:39.149Z

Updated: 2026-04-08T17:05:11.962Z

Reserved: 2026-03-12T18:43:28.699Z

Link: CVE-2026-4066

Vulnrichment

Updated: 2026-03-24T13:58:57.252Z

NVD

Status : Deferred

Published: 2026-03-23T23:17:13.227

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4066

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:36:15Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object