CVE-2026-4812
Received Received - Intake
Unauthorized Data Disclosure via Missing Authorization in ACF Plugin

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4812
EUVD
EUVD-2026-22828
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advanced_custom_fields acf to 6.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration. This unauthorized disclosure of potentially sensitive or private information could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require proper authorization and protection of personal or sensitive data.

Specifically, the lack of proper authorization checks in the AJAX field query endpoints may result in exposure of data that organizations are obligated to protect under these standards, thereby increasing the risk of data breaches and regulatory violations.

Executive Summary

The Advanced Custom Fields (ACF) plugin for WordPress has a vulnerability in versions up to and including 6.7.0 where AJAX field query endpoints accept user-supplied filter parameters without proper authorization checks.

This flaw allows unauthenticated attackers who can access a frontend ACF form to bypass field-configured restrictions and enumerate or disclose information about draft or private posts, restricted post types, and other data that should be protected.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or restricted content on a WordPress site using the ACF plugin.

  • Attackers can access draft or private posts that are not meant to be public.
  • Restricted post types and other protected data can be enumerated and exposed.

Since the vulnerability requires no authentication and has a low attack complexity, it poses a moderate risk of information leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart