Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible REST API requires Author-level authentication (PR:L); IDOR discloses confidential post content with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.
AnalysisAI
Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum the publish_posts capability, corresponding to the Author role (Author, Editor, or Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) is an accurate representation of the risk profile and aligns with independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a WordPress account with Author-level privileges, then sends a GET request to /wp-json/acf-field-blocks/v1/values?id=<target_post_id> with their session cookie or application password. Because get_all_values() passes the id parameter directly to get_field_objects() without checking whether the requesting user holds read capability on the referenced post, the full ACF field payload for that post - which may be a private post, unpublished draft, or another user's restricted content - is returned in the JSON response. … |
| Remediation | Update the Blocks for ACF Fields plugin to a version beyond 1.6.2 as soon as a patched release is available in the WordPress plugin directory; a remediation changeset has been committed to the plugin's SVN repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3587876%40acf-field-blocks&new=3587876%40acf-field-blocks), but a specific patched release version number is not independently confirmed from available data - monitor the WordPress.org plugin page for a version update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42568
GHSA-8mgm-62qj-rh6h