WF-b061facb-0411-4b81-adbd-b1419b7210df-advanced-custom-fields

Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.8.2
Patched in
6d
Time to patch

Description

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.8.1
PublishedMay 27, 2026
Last updatedJune 1, 2026
Affected pluginadvanced-custom-fields

What Changed in the Fix

Changes introduced in v6.8.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan - Advanced Custom Fields (ACF) <= 6.8.1 - Missing Authorization ## Vulnerability Summary The Advanced Custom Fields (ACF) plugin for WordPress (versions up to 6.8.1) is vulnerable to unauthorized access due to missing capability checks on specific AJAX handlers. While ACF is designe…

Show full research plan

Research Plan - Advanced Custom Fields (ACF) <= 6.8.1 - Missing Authorization

Vulnerability Summary

The Advanced Custom Fields (ACF) plugin for WordPress (versions up to 6.8.1) is vulnerable to unauthorized access due to missing capability checks on specific AJAX handlers. While ACF is designed to allow frontend form submissions via acf_form(), certain internal AJAX actions used for screen logic and field group querying were exposed to unauthenticated users without proper authorization. This allows an attacker to perform unauthorized actions or disclose sensitive configuration data about the site's field groups and post structures.

Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: acf/ajax/check_screen (and potentially acf/ajax/query_settings or acf/ajax/validate_save_post)
  • Authentication: None required (wp_ajax_nopriv_ registration or missing check in the unified AJAX dispatcher).
  • Payload: JSON/URL-encoded parameters specifying a "screen" context to probe for field group configurations.
  • Preconditions: The plugin must be active. For maximum impact, some field groups should be defined and assigned to posts or pages.

Code Flow

  1. Entry Point: A request is made to admin-ajax.php with the action parameter set to acf/ajax/check_screen.
  2. Dispatcher: ACF uses a unified AJAX dispatcher (typically in `includes/ajax/class
Research Findings
Static analysis — not yet PoC-verified

Summary

The Advanced Custom Fields (ACF) plugin (<= 6.8.1) lacks proper authorization checks on certain AJAX handlers, including 'acf/ajax/check_screen'. This allows unauthenticated attackers to trigger these handlers to disclose sensitive field group configurations or metadata about the site's structure.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/advanced-custom-fields/6.8.1/acf.php /home/deploy/wp-safety.org/data/plugin-versions/advanced-custom-fields/6.8.2/acf.php
--- /home/deploy/wp-safety.org/data/plugin-versions/advanced-custom-fields/6.8.1/acf.php	2026-05-13 17:42:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advanced-custom-fields/6.8.2/acf.php	2026-05-26 18:16:08.000000000 +0000
@@ -9,7 +9,7 @@
  * Plugin Name:       Advanced Custom Fields
  * Plugin URI:        https://www.advancedcustomfields.com
  * Description:       Customize WordPress with powerful, professional and intuitive fields.
- * Version:           6.8.1
+ * Version:           6.8.2
  * Author:            WP Engine
  * Author URI:        https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields
  * Text Domain:       acf
@@ -44,7 +44,7 @@
 		 *
 		 * @var string
 		 */
-		public $version = '6.8.1';
+		public $version = '6.8.2';

Exploit Outline

The exploit targets the AJAX dispatcher used by ACF. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable internal handler such as `acf/ajax/check_screen`. By crafting a payload that specifies a particular 'screen' context or `post_id`, the attacker can force the server to process logic related to field groups and return data about the site's configuration. Because the plugin fails to verify the user's capabilities or check for a valid nonce for these specific internal actions, the request is processed despite the absence of authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.