Description
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Sensitive Posts and Pages
Action: Immediate Patch
AI Analysis

Impact

The Advanced Custom Fields (ACF) plugin allows AJAX field query endpoints to accept user-supplied parameters that bypass the field’s configured access restrictions, resulting in arbitrary disclosure of draft or private posts, restricted post types, and other protected data. This missing authorization flaw is classified as CWE‑862 and enables attackers to gather information that should be inaccessible to unauthenticated users.

Affected Systems

WordPress sites running the Advanced Custom Fields (ACF®) plugin version 6.7.0 or earlier, distributed by wpengine. The vulnerability affects all field types that expose AJAX query parameters such as page_link, post_object, relationship, and user.

Risk and Exploitability

With a CVSS score of 5.3, the flaw presents a moderate severity risk. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog, indicating that large-scale exploitation has not yet been observed. The likely attack path is an unauthenticated attacker targeting a publicly accessible front‑end ACF form, sending crafted AJAX requests to enumerate drafts and private content. Because no exploitation checks silently succeed, the vulnerability can be exercised without elevated privileges or prior user authentication.

Generated by OpenCVE AI on April 15, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ACF plugin to the latest version (6.7.1 or newer) whenever it becomes available to remove the missing authorization checks.
  • If an immediate upgrade is not possible, restrict all front‑end ACF form access behind authentication or move the forms to a private area, ensuring that only authorized users can trigger AJAX queries.
  • Review and modify field configurations to disable or limit the use of AJAX‑based select fields (page_link, post_object, relationship, user) and remove any custom query parameters that override default restrictions.

Generated by OpenCVE AI on April 15, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve cve-icon cve-icon
History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpengine
Wpengine advanced Custom Fields
Vendors & Products Wordpress
Wordpress wordpress
Wpengine
Wpengine advanced Custom Fields

Wed, 15 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
Title Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpengine Advanced Custom Fields
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T16:01:25.621Z

Reserved: 2026-03-25T13:02:36.082Z

Link: CVE-2026-4812

cve-icon Vulnrichment

Updated: 2026-04-15T16:01:19.827Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:48.523

Modified: 2026-04-15T04:17:48.523

Link: CVE-2026-4812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses