Description
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Advanced Custom Fields WordPress plugin allows an attacker to alter the title and content of any post that is exposed through a publicly accessible acf_form() instance. By submitting crafted values for the _post_title and _post_content parameters in a form request, an unauthenticated user can override the original post data. This leads to data tampering, defacement, or injection of malicious content, compromising the integrity of the site’s content. The weakness is an authentication bypass (CWE‑862).

Affected Systems

WordPress sites that have the Advanced Custom Fields plugin installed in versions 6.8.1 or earlier are affected. Sites using the plugin instance acf_form() that is publicly exposed (e.g., contact or custom forms) are at risk. The vulnerability applies to all installations of the plugin regardless of user role or permissions.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is not available, so the current exploitation probability is unknown, and the issue is not in the CISA KEV catalog. The likely attack vector is via an unauthenticated HTTP POST to the plugin’s front‑end form handler, requiring no special credentials or advanced skills. Once exploited, the attacker can modify posts site‑wide, making it a moderate risk to data integrity and site trustworthiness.

Generated by OpenCVE AI on May 31, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Custom Fields plugin to version 6.8.2 or newer.
  • If an upgrade is not immediately possible, restrict the acf_form() instance to authenticated users or otherwise limit public access to the form.
  • Disable or remove any publicly exposed acf_form() instances until the plugin can be updated.
  • Monitor web server logs for unexpected POST requests to the front‑end form endpoint and investigate anomalous activity.

Generated by OpenCVE AI on May 31, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
Title Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-31T02:28:00.276Z

Reserved: 2026-05-12T09:06:53.362Z

Link: CVE-2026-8382

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T04:16:19.880

Modified: 2026-05-31T04:16:19.880

Link: CVE-2026-8382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T04:30:06Z

Weaknesses