cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields (ACF), CVE-2026-8382

CVE, Research URL

CVE-2026-8382

Home page URL

Security reports for Advanced Custom Fields (ACF)

Application

Advanced Custom Fields (ACF)

Published on
May 31, 2026
Research Description
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
Affected versions
max 6.8.2.
Status
vulnerable
Previous vulnerability researches
SERPed.net (CVE-2025-24669) , Jan 26, 2025
SERPed.net (CVE-2025-28998) , Jul 02, 2025
SERPed.net (CVE-2025-32651) , Apr 18, 2025
New vulnerability
Advanced Custom Fields (ACF) (CVE-2026-8382) , Jun 01, 2026
GEO my WordPress (CVE-2026-9757) , Jun 01, 2026
StatCounter – Free Real Time Visitor Stats (CVE-2026-6275) , May 31, 2026
Post Snippets – Custom WordPress Code Snippets Customizer (CVE-2026-7430) , May 31, 2026
Poll Maker – Best WordPress Poll Plugin (CVE-2026-8995) , May 31, 2026