CVE-2026-8382

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post title and post content of any post bound to a publicly accessible acf form() instance by injecting values into the post title and post content parameters of a form submission request.