Skip to main content

Advanced Custom Fields EUVDEUVD-2026-33483

| CVE-2026-8382 MEDIUM
Missing Authorization (CWE-862)
2026-05-31 Wordfence GHSA-mqv8-cjf6-jmc9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 31, 2026 - 03:43 vuln.today
CVE Published
May 31, 2026 - 02:28 nvd
MEDIUM 5.3

DescriptionCVE.org

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.

AnalysisAI

Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.

Technical ContextAI

Advanced Custom Fields (ACF®) is a WPEngine plugin (CPE: cpe:2.3:a:wpengine:advanced_custom_fields_(acf®):*:*:*:*:*:*:*:*) that extends WordPress with custom field management and front-end form rendering capabilities via the acf_form() template function. The vulnerability is rooted in CWE-862 (Missing Authorization): the front-end form submission handler in includes/forms/form-front.php (visible at line 243 in the tagged 6.8.0 release on WordPress Trac) processes _post_title and _post_content parameters from HTTP POST requests without verifying that the submitting party holds any authorization to modify the target post. This is a missing server-side authorization check - the plugin accepts attacker-supplied values and writes them to the post record because it never validates the requester's identity or capability against WordPress's native permissions model. The fix, committed to trunk as WordPress Trac changeset 3549586, addresses this check in form-front.php.

RemediationAI

An upstream fix has been committed to the ACF plugin trunk branch via WordPress Trac changeset 3549586 (https://plugins.trac.wordpress.org/changeset/3549586/advanced-custom-fields/trunk/includes/forms/form-front.php), which modifies the authorization check in form-front.php. However, a specific released patched version number is not independently confirmed from the available data - administrators should update ACF to the latest version available from the WordPress plugin repository and verify the installed version exceeds 6.8.1. As a compensating control while confirming patch availability, audit all template files for acf_form() calls and restrict any public-facing instances to authenticated users by adding a login check (e.g., is_user_logged_in() gate) before rendering the form; this eliminates the attack surface entirely but breaks intended public form functionality. Temporarily disabling the front-end form feature or taking affected pages offline is a more disruptive but effective interim measure. Monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811 for confirmed fixed version information.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-33483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy