How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration. This unauthorized disclosure of potentially sensitive or private information could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require proper authorization and protection of personal or sensitive data.

Specifically, the lack of proper authorization checks in the AJAX field query endpoints may result in exposure of data that organizations are obligated to protect under these standards, thereby increasing the risk of data breaches and regulatory violations.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

The Advanced Custom Fields (ACF) plugin for WordPress has a vulnerability in versions up to and including 6.7.0 where AJAX field query endpoints accept user-supplied filter parameters without proper authorization checks.

This flaw allows unauthenticated attackers who can access a frontend ACF form to bypass field-configured restrictions and enumerate or disclose information about draft or private posts, restricted post types, and other data that should be protected.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive or restricted content on a WordPress site using the ACF plugin.

• Attackers can access draft or private posts that are not meant to be public.
• Restricted post types and other protected data can be enumerated and exposed.

Since the vulnerability requires no authentication and has a low attack complexity, it poses a moderate risk of information leakage.

Useful 0 Not Useful 0