Platform
wordpress
Component
advanced-custom-fields
Fixed in
6.7.1
6.7.1
CVE-2026-4812 is a Missing Authorization vulnerability affecting the Advanced Custom Fields (ACF) plugin for WordPress. An unauthenticated attacker can leverage this flaw to enumerate and disclose sensitive information, such as draft and private posts, restricted post types, and other data that should be restricted by field configuration. This vulnerability impacts versions of ACF up to and including 6.7.0. A patch is available in version 6.7.1.
CVE-2026-4812 in the Advanced Custom Fields (ACF) plugin for WordPress exposes a Missing Authorization to Arbitrary Post/Page Disclosure vulnerability. Specifically, ACF's AJAX field query endpoints, up to version 6.7.0, fail to properly validate authorization when receiving user-supplied filter parameters. This allows unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted posts, and potentially other sensitive content. The CVSS score for this vulnerability is 5.3, indicating a moderate risk. Successful exploitation could lead to unauthorized access to confidential data, potentially compromising the integrity and confidentiality of the WordPress site.
An attacker could exploit this vulnerability if they have access to the frontend of a WordPress website using the ACF plugin. They could manipulate filter parameters in AJAX requests to access information about posts and pages that would normally be inaccessible to unauthenticated users. This might involve crafting specially designed HTTP requests to bypass access restrictions configured in ACF. The ease of exploitation depends on the website's configuration and the presence of ACF forms on the frontend. The lack of proper authorization validation in ACF's AJAX query endpoints facilitates exploitation.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-4812 is to update the Advanced Custom Fields (ACF) plugin to version 6.7.1 or later. This update includes the necessary fixes to properly validate authorization before processing user-supplied filter parameters. Additionally, review and audit ACF field configurations to ensure access restrictions are correctly implemented. Monitoring server logs for suspicious activity related to ACF AJAX queries can also help detect and prevent potential attacks. Maintaining a strong password policy and keeping WordPress and its plugins updated are essential security practices to reduce the overall risk of vulnerabilities.
Update to version 6.7.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
ACF is a popular WordPress plugin that allows users to create custom fields to manage the content of their websites.
Updating to version 6.7.1 or later corrects a security vulnerability that could allow attackers to access sensitive information.
If you can't update immediately, consider limiting access to ACF forms on the frontend and monitoring server logs for suspicious activity.
If you are using a version of ACF older than 6.7.1, your website is vulnerable to this vulnerability.
Yes, keeping WordPress and other plugins updated, implementing a strong password policy, and using a web application firewall are additional security measures you can take.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.