CVE-2026-4812: CWE-862 Missing Authorization in wpengine Advanced Custom Fields (ACF®)
The Advanced Custom Fields (ACF) plugin for WordPress up to version 6. 7. 0 has a missing authorization vulnerability that allows unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft, private, or otherwise restricted posts and data. This occurs because AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper authorization checks. The vulnerability does not impact integrity or availability, only confidentiality of certain restricted content.
AI Analysis
Technical Summary
CVE-2026-4812 is a missing authorization vulnerability (CWE-862) in the Advanced Custom Fields (ACF) WordPress plugin maintained by wpengine. Versions up to and including 6.7.0 allow unauthenticated attackers who can access a frontend ACF form to exploit AJAX endpoints that accept user-supplied filters. These filters bypass field-configured restrictions, enabling disclosure of draft, private, or restricted post/page data that should otherwise be inaccessible. The vulnerability affects confidentiality but does not impact data integrity or availability. No official patch or remediation level has been provided as of the published date.
Potential Impact
An attacker without authentication can enumerate and disclose information about restricted WordPress posts and pages, including drafts and private content, violating confidentiality. There is no impact on data integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to frontend ACF forms to trusted users only and monitor for unusual access patterns. Avoid exposing ACF AJAX endpoints to unauthenticated users if possible.
CVE-2026-4812: CWE-862 Missing Authorization in wpengine Advanced Custom Fields (ACF®)
Description
The Advanced Custom Fields (ACF) plugin for WordPress up to version 6. 7. 0 has a missing authorization vulnerability that allows unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft, private, or otherwise restricted posts and data. This occurs because AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper authorization checks. The vulnerability does not impact integrity or availability, only confidentiality of certain restricted content.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4812 is a missing authorization vulnerability (CWE-862) in the Advanced Custom Fields (ACF) WordPress plugin maintained by wpengine. Versions up to and including 6.7.0 allow unauthenticated attackers who can access a frontend ACF form to exploit AJAX endpoints that accept user-supplied filters. These filters bypass field-configured restrictions, enabling disclosure of draft, private, or restricted post/page data that should otherwise be inaccessible. The vulnerability affects confidentiality but does not impact data integrity or availability. No official patch or remediation level has been provided as of the published date.
Potential Impact
An attacker without authentication can enumerate and disclose information about restricted WordPress posts and pages, including drafts and private content, violating confidentiality. There is no impact on data integrity or availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to frontend ACF forms to trusted users only and monitor for unusual access patterns. Avoid exposing ACF AJAX endpoints to unauthenticated users if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-25T13:02:36.082Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deee0b82d89c981fde9f2d
Added to database: 4/15/2026, 1:46:51 AM
Last enriched: 4/22/2026, 6:45:34 AM
Last updated: 5/30/2026, 9:52:27 PM
Views: 158
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.