The Smart Custom Fields plugin for WordPress, widely used to add custom fields to posts, contains a vulnerability identified as CVE-2026-4066. The root cause is a missing authorization check in the relational_posts_search() function, which is triggered via the smart-cf-relational-posts-search AJAX action. This function queries posts with post_status=any and returns full WP_Post objects, including sensitive post_content fields. However, it only verifies that the user has the generic edit_posts capability, which Contributors and above possess, rather than confirming if the user has permission to read each individual post. Consequently, an authenticated attacker with Contributor-level access can enumerate and read private and draft posts authored by other users, violating confidentiality. The vulnerability affects all versions up to and including 5.0.6 of the plugin. Exploitation requires authentication but no additional user interaction. The CVSS 3.1 base score is 4.3, reflecting low complexity and limited impact on integrity and availability but a clear confidentiality breach. No patches are currently linked, and no known exploits have been reported in the wild. This vulnerability exemplifies CWE-862 (Missing Authorization), where insufficient permission checks allow unauthorized data access.

This vulnerability primarily impacts the confidentiality of WordPress sites using the Smart Custom Fields plugin up to version 5.0.6. Attackers with Contributor or higher privileges can access private and draft posts of other users, potentially exposing sensitive or proprietary information. This could lead to data leakage, reputational damage, and loss of trust, especially for organizations that rely on WordPress for internal communications or content management. Since Contributors typically have limited permissions, this vulnerability significantly elevates their access rights beyond intended boundaries. Although it does not affect data integrity or availability, unauthorized disclosure of unpublished content can have serious consequences in environments handling confidential data, intellectual property, or regulated information. The scope is limited to sites using this specific plugin version, but given WordPress's global popularity, the affected population could be substantial. No known active exploitation reduces immediate risk, but the vulnerability remains a concern until remediated.

Organizations should immediately upgrade the Smart Custom Fields plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators can implement temporary mitigations such as restricting Contributor-level user roles from accessing the AJAX action smart-cf-relational-posts-search by customizing WordPress hooks or using security plugins to block unauthorized AJAX requests. Reviewing and tightening user role permissions to minimize Contributor access or disabling the plugin if not essential can reduce exposure. Additionally, applying web application firewall (WAF) rules to detect and block suspicious AJAX calls targeting this endpoint may help. Site owners should audit their content for any sensitive information that may have been exposed and monitor logs for unusual access patterns. Finally, following secure development best practices, plugin developers should enforce fine-grained authorization checks on all data access functions to prevent similar issues.