Smart Custom Fields < 5.0.7 – Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search | CVE 2026-4066 | Plugin Vulnerabilities

Description

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.

Affects Plugins

smart-custom-fields

Fixed in 5.0.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

darkmode

Verified

No

WPVDB ID

aa6eb50e-55d4-4792-85c9-b08def8efe8a

Timeline

Publicly Published

2026-03-23 (about 2 months ago)

Added

2026-03-23 (about 2 months ago)

Last Updated

2026-03-23 (about 2 months ago)

Other

Published

Title

Published

2025-12-03

Title

Order Delivery Date for WooCommerce < 4.3.2 - Missing Authorization

Published

2026-05-27

Title

Visualizer: Tables and Charts Manager for WordPress < 3.11.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions

Published

2025-06-23

Title

Abandoned Contact Form 7 < 2.9 - Missing Authorization

Published

2026-03-01

Title

Precious Metals Automated Product Pricing – Pro <= 4.0.5 - Missing Authorization

Published

2025-06-19

Title

User Roles and Capabilities <= 1.2.6 - Missing Authorization