CVE-2026-4066

Name of the Vulnerable Software and Affected Versions Smart Custom Fields plugin for WordPress versions up to and including 5.0.6

Description The Smart Custom Fields plugin for WordPress has a flaw that allows unauthorized access to data. A missing capability check within the relational posts search() function permits authenticated attackers with Contributor-level access or higher to read private and draft post content from other authors. This is achieved through the smart-cf-relational-posts-search AJAX action, which queries posts with any status and returns complete post objects, including post content, but only verifies the generic edit posts capability instead of individual post access permissions.

Recommendations Update the Smart Custom Fields plugin to a version newer than 5.0.6. As a temporary workaround, consider restricting access to the smart-cf-relational-posts-search AJAX action until a patch is available.