CVE-2026-4812 — Missing Authorization in Advanced Custom Fields

CWE-862 — Missing Authorization2 documents2 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 88.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpengine Advanced Custom Fields

Timeline

PublishedApr 15

Description

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5wpengine/advanced_custom_fields6.7.0

🔴Vulnerability Details

CVEList

Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters↗2026-04-15

▶