Skip to main content

Blocks for ACF Fields CVE-2026-12428

| EUVDEUVD-2026-42568 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-8mgm-62qj-rh6h
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible REST API requires Author-level authentication (PR:L); IDOR discloses confidential post content with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 12:12 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
MEDIUM 6.5

DescriptionCVE.org

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.

AnalysisAI

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register Author-level WordPress account
Delivery
Send GET request to /wp-json/acf-field-blocks/v1/values with target post ID
Exploit
permission_callback passes with publish_posts check
Execution
get_all_values() calls get_field_objects() without object authorization
Impact
ACF field data from private or restricted post returned in response

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum the publish_posts capability, corresponding to the Author role (Author, Editor, or Administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) is an accurate representation of the risk profile and aligns with independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a WordPress account with Author-level privileges, then sends a GET request to /wp-json/acf-field-blocks/v1/values?id=<target_post_id> with their session cookie or application password. Because get_all_values() passes the id parameter directly to get_field_objects() without checking whether the requesting user holds read capability on the referenced post, the full ACF field payload for that post - which may be a private post, unpublished draft, or another user's restricted content - is returned in the JSON response. …
Remediation Update the Blocks for ACF Fields plugin to a version beyond 1.6.2 as soon as a patched release is available in the WordPress plugin directory; a remediation changeset has been committed to the plugin's SVN repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3587876%40acf-field-blocks&new=3587876%40acf-field-blocks), but a specific patched release version number is not independently confirmed from available data - monitor the WordPress.org plugin page for a version update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy