CVE-2026-4812

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields (ACF) plugin for WordPress versions prior to 6.7.1

Description The plugin contains a flaw where AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This allows unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information regarding draft or private posts, restricted post types, and other data intended to be restricted by field configuration.

Recommendations Update the plugin to a version later than 6.7.0.