Unauthorized Data Access in Blocks for ACF Fields Plugin by WordPress
CVE-2026-12428
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-12428?
The Blocks for ACF Fields plugin for WordPress suffers from a vulnerability that allows authenticated users with Author-level permissions or higher to gain unauthorized access to sensitive ACF field data. This occurs due to inadequate capability checks in the REST API endpoint, which relies solely on the generic publish_posts capability. Attackers can manipulate requests to the get_all_values() function, allowing them to retrieve ACF field values from posts they shouldn't be able to access, including private posts and drafts. This vulnerability raises serious concerns regarding data privacy and security in WordPress installations.
Affected Version(s)
Blocks for ACF Fields β Display Custom Fields in the Block Editor 0 <= 1.6.2