Advanced Custom Fields (ACF®) < 6.7.1 – Unauthenticated Arbitrary Post/Page Disclosure via AJAX Field Query Parameters | CVE 2026-4812 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.

Affects Plugins

advanced-custom-fields

Fixed in 6.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Fernando Mecozzi

Verified

No

WPVDB ID

ec38fe73-6f28-4917-bb29-fb7226b6429e

Timeline

Publicly Published

2026-04-14 (about 1 month ago)

Added

2026-04-14 (about 29 days ago)

Last Updated

2026-04-14 (about 29 days ago)

Other

Published

Title

Published

2026-01-06

Title

Easy Form Builder < 4.0.0 - Missing Authorization

Published

2025-09-03

Title

Classified Listing < 5.0.7 - Missing Authorization

Published

2026-04-03

Title

ProfilePress < 4.16.12 - Subscriber+ Membership Payment Bypass

Published

2025-02-11

Title

iNET Webkit < 1.2.3 - Missing Authorization

Published

2025-05-16

Title

Acerola <= 1.6.5 - Missing Authorization