Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
AnalysisAI
Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.
Technical ContextAI
Advanced Custom Fields (ACF®) is a WPEngine plugin (CPE: cpe:2.3:a:wpengine:advanced_custom_fields_(acf®):*:*:*:*:*:*:*:*) that extends WordPress with custom field management and front-end form rendering capabilities via the acf_form() template function. The vulnerability is rooted in CWE-862 (Missing Authorization): the front-end form submission handler in includes/forms/form-front.php (visible at line 243 in the tagged 6.8.0 release on WordPress Trac) processes _post_title and _post_content parameters from HTTP POST requests without verifying that the submitting party holds any authorization to modify the target post. This is a missing server-side authorization check - the plugin accepts attacker-supplied values and writes them to the post record because it never validates the requester's identity or capability against WordPress's native permissions model. The fix, committed to trunk as WordPress Trac changeset 3549586, addresses this check in form-front.php.
RemediationAI
An upstream fix has been committed to the ACF plugin trunk branch via WordPress Trac changeset 3549586 (https://plugins.trac.wordpress.org/changeset/3549586/advanced-custom-fields/trunk/includes/forms/form-front.php), which modifies the authorization check in form-front.php. However, a specific released patched version number is not independently confirmed from the available data - administrators should update ACF to the latest version available from the WordPress plugin repository and verify the installed version exceeds 6.8.1. As a compensating control while confirming patch availability, audit all template files for acf_form() calls and restrict any public-facing instances to authenticated users by adding a login check (e.g., is_user_logged_in() gate) before rendering the form; this eliminates the attack surface entirely but breaks intended public form functionality. Temporarily disabling the front-end form feature or taking affected pages offline is a more disruptive but effective interim measure. Monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811 for confirmed fixed version information.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33483
GHSA-mqv8-cjf6-jmc9