Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities found for Advanced Custom Fields (ACF®) by wpengine

    CVE-2026-8382 (GCVE-0-2026-8382)

    Vulnerability from nvd – Published: 2026-05-31 02:28 – Updated: 2026-06-01 10:33
    VLAI
    Title
    Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters
    Summary
    The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpengine Advanced Custom Fields (ACF®) Affected: 0 , ≤ 6.8.1 (semver)
    Create a notification for this product.
    Credits
    Sarawut Poolkhet
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8382",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T10:32:13.854562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T10:33:23.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.8.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sarawut Poolkhet"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF\u00ae) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-31T02:28:00.276Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.8.0/includes/forms/form-front.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3549586/advanced-custom-fields/trunk/includes/forms/form-front.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-30T14:23:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields (ACF\u00ae) \u003c= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form \u0027_post_title\u0027 and \u0027_post_content\u0027 Parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8382",
        "datePublished": "2026-05-31T02:28:00.276Z",
        "dateReserved": "2026-05-12T09:06:53.362Z",
        "dateUpdated": "2026-06-01T10:33:23.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4812 (GCVE-0-2026-4812)

    Vulnerability from nvd – Published: 2026-04-15 01:25 – Updated: 2026-04-15 16:01
    VLAI
    Title
    Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters
    Summary
    The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpengine Advanced Custom Fields (ACF®) Affected: 0 , ≤ 6.7.0 (semver)
    Create a notification for this product.
    Credits
    Fernando Mecozzi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4812",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T15:59:04.353708Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:01:25.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fernando Mecozzi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T01:25:17.540Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-14T12:58:08.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields (ACF\u00ae) \u003c= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4812",
        "datePublished": "2026-04-15T01:25:17.540Z",
        "dateReserved": "2026-03-25T13:02:36.082Z",
        "dateUpdated": "2026-04-15T16:01:25.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6701 (GCVE-0-2023-6701)

    Vulnerability from nvd – Published: 2024-02-05 21:22 – Updated: 2026-04-08 17:29
    VLAI
    Title
    Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
    Summary
    The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-07T16:11:47.427245Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:39.641Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:35:14.940Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields Pro",
              "vendor": "Delicious Brains",
              "versions": [
                {
                  "lessThanOrEqual": "6.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:24.390Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
            },
            {
              "url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-12T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-01-17T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields \u003c= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6701",
        "datePublished": "2024-02-05T21:22:04.222Z",
        "dateReserved": "2023-12-11T22:41:11.370Z",
        "dateUpdated": "2026-04-08T17:29:24.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8382 (GCVE-0-2026-8382)

    Vulnerability from cvelistv5 – Published: 2026-05-31 02:28 – Updated: 2026-06-01 10:33
    VLAI
    Title
    Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters
    Summary
    The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpengine Advanced Custom Fields (ACF®) Affected: 0 , ≤ 6.8.1 (semver)
    Create a notification for this product.
    Credits
    Sarawut Poolkhet
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8382",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T10:32:13.854562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T10:33:23.161Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.8.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sarawut Poolkhet"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF\u00ae) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-31T02:28:00.276Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.8.0/includes/forms/form-front.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3549586/advanced-custom-fields/trunk/includes/forms/form-front.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-30T14:23:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields (ACF\u00ae) \u003c= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form \u0027_post_title\u0027 and \u0027_post_content\u0027 Parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8382",
        "datePublished": "2026-05-31T02:28:00.276Z",
        "dateReserved": "2026-05-12T09:06:53.362Z",
        "dateUpdated": "2026-06-01T10:33:23.161Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4812 (GCVE-0-2026-4812)

    Vulnerability from cvelistv5 – Published: 2026-04-15 01:25 – Updated: 2026-04-15 16:01
    VLAI
    Title
    Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters
    Summary
    The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    wpengine Advanced Custom Fields (ACF®) Affected: 0 , ≤ 6.7.0 (semver)
    Create a notification for this product.
    Credits
    Fernando Mecozzi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4812",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-15T15:59:04.353708Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T16:01:25.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Fernando Mecozzi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-15T01:25:17.540Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L155"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L155"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L180"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L171"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L171"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L187"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L187"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-page_link.php#L144"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-page_link.php#L144"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-user.php#L435"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-user.php#L435"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-post_object.php#L92"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-post_object.php#L92"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/trunk/includes/fields/class-acf-field-relationship.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.7.0/includes/fields/class-acf-field-relationship.php#L118"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-14T12:58:08.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields (ACF\u00ae) \u003c= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4812",
        "datePublished": "2026-04-15T01:25:17.540Z",
        "dateReserved": "2026-03-25T13:02:36.082Z",
        "dateUpdated": "2026-04-15T16:01:25.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6701 (GCVE-0-2023-6701)

    Vulnerability from cvelistv5 – Published: 2024-02-05 21:22 – Updated: 2026-04-08 17:29
    VLAI
    Title
    Advanced Custom Fields <= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
    Summary
    The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Francesco Carlucci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6701",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-07T16:11:47.427245Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:39.641Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:35:14.940Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields (ACF\u00ae)",
              "vendor": "wpengine",
              "versions": [
                {
                  "lessThanOrEqual": "6.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Custom Fields Pro",
              "vendor": "Delicious Brains",
              "versions": [
                {
                  "lessThanOrEqual": "6.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Francesco Carlucci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:24.390Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
            },
            {
              "url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-12T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-01-17T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Custom Fields \u003c= 6.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6701",
        "datePublished": "2024-02-05T21:22:04.222Z",
        "dateReserved": "2023-12-11T22:41:11.370Z",
        "dateUpdated": "2026-04-08T17:29:24.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }