CVE-2026-4812 Overview
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This vulnerability exists because AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper authorization checks. Unauthenticated attackers with access to a frontend ACF form can enumerate and disclose information about draft/private posts, restricted post types, and other sensitive data that should be restricted by field configuration.
Critical Impact
Unauthenticated attackers can bypass authorization controls to access sensitive draft posts, private content, and restricted post types through ACF frontend forms without authentication.
Affected Products
- Advanced Custom Fields (ACF) plugin for WordPress versions up to and including 6.7.0
- WordPress sites utilizing ACF frontend forms with Page Link, Post Object, Relationship, or User field types
- Both free and potentially ACF Pro versions using affected field types
Discovery Timeline
- April 15, 2026 - CVE CVE-2026-4812 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4812
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), a critical class of access control flaws. The ACF plugin provides AJAX endpoints that power dynamic field types such as Page Link, Post Object, Relationship, and User fields. These endpoints are designed to query WordPress content and return matching results based on user input.
The core issue lies in how these AJAX handlers process incoming requests. When a user interacts with an ACF field on a frontend form, the plugin sends AJAX requests to retrieve matching posts or users. The vulnerability occurs because these endpoints accept user-controlled filter parameters that can override the restrictions configured by administrators in the field settings.
For instance, an administrator might configure a Relationship field to only show published posts of a specific post type. However, an attacker can craft malicious AJAX requests that supply additional filter parameters, effectively bypassing these configured restrictions to access draft posts, private posts, or content from restricted post types.
Root Cause
The root cause is the absence of proper authorization validation in the AJAX field query handlers. The affected field classes—including class-acf-field-page_link.php, class-acf-field-post_object.php, class-acf-field-relationship.php, and class-acf-field-user.php—fail to verify that incoming filter parameters align with the field's configured access restrictions.
Specifically, the AJAX handlers merge user-supplied parameters with field configuration without validating whether the requesting user should have access to query those parameters. This allows attackers to inject parameters like post_status=draft, post_status=private, or specify unauthorized post types, effectively querying content they should not have access to.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication. An attacker targeting a WordPress site with ACF frontend forms would:
- Identify a page containing an ACF frontend form with Page Link, Post Object, Relationship, or User field types
- Intercept the AJAX requests generated when interacting with these fields
- Modify the request parameters to include restricted content filters (e.g., adding post_status parameters for draft or private posts)
- Submit the modified requests to enumerate and extract sensitive content information
The attacker can craft requests to the ACF AJAX endpoints with manipulated parameters. By modifying the filter parameters in AJAX requests to the /wp-admin/admin-ajax.php endpoint with ACF-specific actions, attackers can override the field-level restrictions and query posts that should be inaccessible. This could expose draft content, private posts, or content from restricted post types that administrators intended to keep hidden.
Detection Methods for CVE-2026-4812
Indicators of Compromise
- Unusual AJAX requests to /wp-admin/admin-ajax.php containing ACF action handlers with modified post_status parameters
- Access logs showing repeated queries attempting to enumerate post content with various filter combinations
- Evidence of unauthorized access to draft or private post content through ACF field endpoints
- Anomalous traffic patterns targeting ACF-related AJAX actions from unauthenticated sources
Detection Strategies
- Monitor web server access logs for AJAX requests to admin-ajax.php containing ACF field query actions with suspicious parameters
- Implement Web Application Firewall (WAF) rules to detect and block requests attempting to inject post_status=draft or post_status=private parameters in ACF AJAX calls
- Deploy intrusion detection signatures for patterns indicating ACF authorization bypass attempts
- Review application logs for successful queries returning draft or private content to unauthenticated users
Monitoring Recommendations
- Enable detailed logging on WordPress sites to capture all AJAX request parameters and responses
- Set up alerts for unusual access patterns to ACF-powered forms, particularly those involving field enumeration behavior
- Monitor for data exfiltration indicators such as bulk content retrieval through ACF endpoints
- Implement rate limiting on AJAX endpoints to slow down enumeration attempts
How to Mitigate CVE-2026-4812
Immediate Actions Required
- Update the Advanced Custom Fields plugin to the latest patched version beyond 6.7.0 immediately
- Audit existing ACF frontend forms to identify which use the affected field types (Page Link, Post Object, Relationship, User)
- Temporarily disable frontend ACF forms if they contain sensitive field types until patching is complete
- Review access logs for evidence of past exploitation attempts
Patch Information
Update the Advanced Custom Fields plugin through the WordPress admin dashboard or download the latest version from the official WordPress plugin repository. For detailed vulnerability information and patch status, refer to the Wordfence Vulnerability Report.
The vulnerable code spans multiple field class files:
- class-acf-field-page_link.php
- class-acf-field-post_object.php
- class-acf-field-relationship.php
- class-acf-field-user.php
Workarounds
- Remove or disable ACF frontend forms containing Page Link, Post Object, Relationship, or User fields until the patch is applied
- Implement server-side request filtering to block AJAX requests with unauthorized filter parameters targeting ACF endpoints
- Use a Web Application Firewall (WAF) to enforce strict parameter validation on ACF AJAX requests
- Convert affected frontend forms to backend-only administrative interfaces where proper authorization is enforced
# WordPress CLI command to check ACF plugin version
wp plugin list --name=advanced-custom-fields --fields=name,version,status
# Update ACF plugin to latest version
wp plugin update advanced-custom-fields
# Alternatively, disable ACF temporarily if update is not immediately available
wp plugin deactivate advanced-custom-fields
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
