Unauthorized Data Access in Blocks for ACF Fields Plugin by WordPress
CVE-2026-12428

6.5MEDIUM

What is CVE-2026-12428?

The Blocks for ACF Fields plugin for WordPress suffers from a vulnerability that allows authenticated users with Author-level permissions or higher to gain unauthorized access to sensitive ACF field data. This occurs due to inadequate capability checks in the REST API endpoint, which relies solely on the generic publish_posts capability. Attackers can manipulate requests to the get_all_values() function, allowing them to retrieve ACF field values from posts they shouldn't be able to access, including private posts and drafts. This vulnerability raises serious concerns regarding data privacy and security in WordPress installations.

Affected Version(s)

Blocks for ACF Fields β€” Display Custom Fields in the Block Editor 0 <= 1.6.2

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

thinnawarth mathuros
.