Is WordPress affected by EUVD-2026-14618?

Organizations using all should be aware of moderate risk from CVE-2026-4066, a missing authorization vulnerability rated CVSS 4.3. Attackers could gain access beyond their authorized level. Organizations should apply vendor updates when available and monitor for exploitation.

EUVD-2026-14618

| CVE-2026-4066 MEDIUM

2026-03-23 Wordfence

GHSA-v295-3wx7-pwm2

4.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 23, 2026 - 22:45 vuln.today

EUVD ID Assigned

Mar 23, 2026 - 22:45 euvd

EUVD-2026-14618

CVE Published

Mar 23, 2026 - 22:25 nvd

MEDIUM 4.3

Description

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.

Analysis

The Smart Custom Fields WordPress plugin contains an authorization bypass vulnerability in the relational_posts_search() AJAX function that allows authenticated contributors and above to access private and draft posts from other authors. Affected versions through 5.0.6 fail to perform per-post capability checks, instead relying only on a generic edit_posts check, enabling unauthorized information disclosure of sensitive post content. …

Remediation

Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +22

POC: 0

EUVD-2026-14618 vulnerability details – vuln.today

Back

EUVD-2026-14618

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-14618

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code