Advanced Custom Fields (ACF), CVE-2026-4812

CVE, Research URL: CVE-2026-4812
Home page URL: Security reports for Advanced Custom Fields (ACF)
Application: Advanced Custom Fields (ACF)
Published on: Apr 15, 2026
Research Description: The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
Affected versions: max 6.7.1.
Status: vulnerable