[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1bYXlNs3XcLG8Qar1BjDT_8EeqwQrpzsf_fWh18irUQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"WF-b061facb-0411-4b81-adbd-b1419b7210df-advanced-custom-fields","advanced-custom-fields-acf-missing-authorization","Advanced Custom Fields (ACF®) \u003C= 6.8.1 - Missing Authorization","The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.8.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","advanced-custom-fields",null,"\u003C=6.8.1","6.8.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-06-01 16:12:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb061facb-0411-4b81-adbd-b1419b7210df?source=api-prod",6,[22,23,24,25,26,27,28,29],"acf.php","assets\u002Fbuild\u002Fjs\u002Facf.min.js","includes\u002Fforms\u002Fform-front.php","lang\u002Facf-ar.l10n.php","lang\u002Facf-ar.po","lang\u002Facf-bg_BG.l10n.php","lang\u002Facf-bg_BG.po","lang\u002Facf-ca.l10n.php","researched",false,3,"# Research Plan - Advanced Custom Fields (ACF) \u003C= 6.8.1 - Missing Authorization\n\n## Vulnerability Summary\nThe Advanced Custom Fields (ACF) plugin for WordPress (versions up to 6.8.1) is vulnerable to unauthorized access due to missing capability checks on specific AJAX handlers. While ACF is designed to allow frontend form submissions via `acf_form()`, certain internal AJAX actions used for screen logic and field group querying were exposed to unauthenticated users without proper authorization. This allows an attacker to perform unauthorized actions or disclose sensitive configuration data about the site's field groups and post structures.\n\n## Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `acf\u002Fajax\u002Fcheck_screen` (and potentially `acf\u002Fajax\u002Fquery_settings` or `acf\u002Fajax\u002Fvalidate_save_post`)\n- **Authentication**: None required (`wp_ajax_nopriv_` registration or missing check in the unified AJAX dispatcher).\n- **Payload**: JSON\u002FURL-encoded parameters specifying a \"screen\" context to probe for field group configurations.\n- **Preconditions**: The plugin must be active. For maximum impact, some field groups should be defined and assigned to posts or pages.\n\n## Code Flow\n1. **Entry Point**: A request is made to `admin-ajax.php` with the `action` parameter set to `acf\u002Fajax\u002Fcheck_screen`.\n2. **Dispatcher**: ACF uses a unified AJAX dispatcher (typically in `includes\u002Fajax\u002Fclass","The Advanced Custom Fields (ACF) plugin (\u003C= 6.8.1) lacks proper authorization checks on certain AJAX handlers, including 'acf\u002Fajax\u002Fcheck_screen'. This allows unauthenticated attackers to trigger these handlers to disclose sensitive field group configurations or metadata about the site's structure.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.8.1\u002Facf.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.8.2\u002Facf.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.8.1\u002Facf.php\t2026-05-13 17:42:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.8.2\u002Facf.php\t2026-05-26 18:16:08.000000000 +0000\n@@ -9,7 +9,7 @@\n  * Plugin Name:       Advanced Custom Fields\n  * Plugin URI:        https:\u002F\u002Fwww.advancedcustomfields.com\n  * Description:       Customize WordPress with powerful, professional and intuitive fields.\n- * Version:           6.8.1\n+ * Version:           6.8.2\n  * Author:            WP Engine\n  * Author URI:        https:\u002F\u002Fwpengine.com\u002F?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields\n  * Text Domain:       acf\n@@ -44,7 +44,7 @@\n \t\t *\n \t\t * @var string\n \t\t *\u002F\n-\t\tpublic $version = '6.8.1';\n+\t\tpublic $version = '6.8.2';","The exploit targets the AJAX dispatcher used by ACF. An unauthenticated attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to a vulnerable internal handler such as `acf\u002Fajax\u002Fcheck_screen`. By crafting a payload that specifies a particular 'screen' context or `post_id`, the attacker can force the server to process logic related to field groups and return data about the site's configuration. Because the plugin fails to verify the user's capabilities or check for a valid nonce for these specific internal actions, the request is processed despite the absence of authentication.","gemini-3-flash-preview","2026-06-04 18:04:16","2026-06-04 18:05:12",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","6.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags"]