CVE-2026-4066: CWE-862 Missing Authorization in inc2734 Smart Custom Fields
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.
AI Analysis
Technical Summary
CVE-2026-4066 is a missing authorization vulnerability (CWE-862) in the Smart Custom Fields plugin for WordPress, affecting all versions up to 5.0.6. The relational_posts_search() function, invoked via the smart-cf-relational-posts-search AJAX action, improperly restricts access by only verifying the generic edit_posts capability. This allows authenticated users with Contributor-level privileges or higher to access full WP_Post objects, including private and draft post content from other authors, without proper read permission checks. The vulnerability results in unauthorized information disclosure but does not impact data integrity or availability.
Potential Impact
An attacker with Contributor-level or higher access can read private and draft posts of other users, leading to unauthorized disclosure of potentially sensitive content. There is no indication of impact on data integrity or system availability. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to confidentiality impact with low attack complexity and privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only. Monitor for updates from the inc2734 vendor regarding a security patch addressing this missing authorization issue.
CVE-2026-4066: CWE-862 Missing Authorization in inc2734 Smart Custom Fields
Description
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4066 is a missing authorization vulnerability (CWE-862) in the Smart Custom Fields plugin for WordPress, affecting all versions up to 5.0.6. The relational_posts_search() function, invoked via the smart-cf-relational-posts-search AJAX action, improperly restricts access by only verifying the generic edit_posts capability. This allows authenticated users with Contributor-level privileges or higher to access full WP_Post objects, including private and draft post content from other authors, without proper read permission checks. The vulnerability results in unauthorized information disclosure but does not impact data integrity or availability.
Potential Impact
An attacker with Contributor-level or higher access can read private and draft posts of other users, leading to unauthorized disclosure of potentially sensitive content. There is no indication of impact on data integrity or system availability. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to confidentiality impact with low attack complexity and privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only. Monitor for updates from the inc2734 vendor regarding a security patch addressing this missing authorization issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-12T18:43:28.699Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c1d4a9f4197a8e3ba0b486
Added to database: 3/24/2026, 12:02:49 AM
Last enriched: 4/9/2026, 6:51:05 PM
Last updated: 5/9/2026, 1:02:15 AM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.