Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12428

CVE-2026-12428: Blocks for ACF Fields Auth Bypass Flaw

CVE-2026-12428 is an authentication bypass vulnerability in the Blocks for ACF Fields WordPress plugin that allows Authors to access unauthorized ACF field data. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-12428 Overview

CVE-2026-12428 is a broken access control vulnerability in the Blocks for ACF Fields plugin for WordPress. The flaw affects all versions up to and including 1.6.2. The vulnerability resides in the get_all_values() function exposed through the /wp-json/acf-field-blocks/v1/values REST endpoint. The permission_callback only checks the generic publish_posts capability, and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying object-level authorization. Authenticated attackers with Author-level access or above can read Advanced Custom Fields (ACF) values from arbitrary posts, including private posts, drafts, and content owned by other users. This maps to CWE-862: Missing Authorization.

Critical Impact

Authenticated Author-level users can read ACF field values from private posts, drafts, and other ACF-supported objects they should not access.

Affected Products

  • Blocks for ACF Fields plugin for WordPress — versions up to and including 1.6.2
  • WordPress sites exposing the /wp-json/acf-field-blocks/v1/values REST route
  • ACF-supported objects (posts, pages, custom post types) managed by the plugin

Discovery Timeline

  • 2026-07-09 - CVE-2026-12428 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-12428

Vulnerability Analysis

The Blocks for ACF Fields plugin registers a REST endpoint at /wp-json/acf-field-blocks/v1/values that returns ACF field data for a given object. The permission_callback protecting the route only validates the caller's publish_posts capability. In default WordPress installations, this capability is granted to Authors, Editors, and Administrators. Authors are trusted only for content they own, so a generic capability check is insufficient authorization for reading arbitrary objects.

Inside the handler, the get_all_values() function reads a client-supplied id parameter and passes it directly to WordPress's get_field_objects() helper. The handler never verifies that the requesting user can read the target object identified by id. As a result, the endpoint returns ACF field values for any object ID an attacker submits.

Root Cause

The root cause is a missing object-level authorization check between the REST permission callback and the data retrieval function. A capability check answers whether a user can perform a class of actions but does not answer whether they can access a specific resource. The fix requires a per-object check such as current_user_can( 'read_post', $id ) before returning field values.

Attack Vector

The attack is remote and requires authentication at Author level or above. An attacker sends an authenticated GET request to /wp-json/acf-field-blocks/v1/values with an id parameter referencing a private post, draft, or another user's content. The endpoint returns the associated ACF field values in the JSON response. See the Wordfence Vulnerability Report and the WordPress ACF REST Class Code for the vulnerable handler.

Detection Methods for CVE-2026-12428

Indicators of Compromise

  • Authenticated REST requests to /wp-json/acf-field-blocks/v1/values with varying id parameters from a single Author-level session.
  • HTTP 200 responses from the endpoint returning field data for object IDs the requesting user does not own.
  • Enumeration patterns showing sequential or scripted id values in web server access logs.

Detection Strategies

  • Inspect web server and WordPress logs for requests to /wp-json/acf-field-blocks/v1/values originating from non-Editor, non-Administrator accounts.
  • Correlate the requesting user's ID with the target object's post_author to flag cross-user reads.
  • Alert on high-volume REST calls to the endpoint that iterate through post IDs.

Monitoring Recommendations

  • Enable REST API request logging on WordPress and forward logs to a centralized SIEM for analysis.
  • Baseline normal usage of the acf-field-blocks route and alert on deviations tied to Author accounts.
  • Review audit trails for newly created Author accounts followed by REST enumeration activity.

How to Mitigate CVE-2026-12428

Immediate Actions Required

  • Update the Blocks for ACF Fields plugin to a version above 1.6.2 that includes the authorization fix.
  • Audit user accounts and remove Author-or-above privileges from untrusted users.
  • Review ACF field data for sensitive content that may have been exposed through the endpoint.

Patch Information

The vendor addressed the vulnerability by adding an object-level authorization check in the REST handler. Refer to the WordPress ACF Changeset for the code change and update the plugin from the WordPress admin dashboard.

Workarounds

  • Restrict access to the /wp-json/acf-field-blocks/v1/values route at the web server or WAF layer until the plugin is updated.
  • Deactivate the Blocks for ACF Fields plugin if an immediate update is not possible.
  • Downgrade high-privilege user accounts to Contributor or Subscriber roles where feasible to remove publish_posts.
bash
# Example Nginx rule to block the vulnerable REST route until patched
location ~* /wp-json/acf-field-blocks/v1/values {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.