Missing Authorization in Advanced Custom Fields Plugin for WordPress
CVE-2026-4812

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Custom Fields (acf®)
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-4812?

The Advanced Custom Fields (ACF) plugin for WordPress contains a vulnerability that allows unauthenticated users to access sensitive data. Specifically, the AJAX field query endpoints do not enforce proper authorization checks when handling user-supplied filter parameters. As a result, attackers exploiting this flaw can potentially enumerate and disclose confidential information from draft and private posts, as well as other restricted post types safely guarded by field configuration. This makes it critical for site administrators to ensure they are using the latest versions of the ACF plugin and applying any relevant patches.

Affected Version(s)

Advanced Custom Fields (ACF®) 0 <= 6.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-custo...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

Fernando Mecozzi

CVE-2026-4812 Data

JSON