5.3

CVE-2026-4812

EPSS 0.04%
Veröffentlicht 15.04.2026 01:25:17
Zuletzt bearbeitet 15.04.2026 04:17:48
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 20

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerwpengine

≫

Produkt Advanced Custom Fields (ACF®)

Default Statusunaffected

Version <= 6.7.0

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.113

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118

https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118

https://nvd.nist.gov/vuln/detail/CVE-2026-4812

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-4812

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-4812

EUVD