[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP3MU74-vYNMGXmQ4uvwn2FzJXJU_olw29lQwC6hC040":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8382","advanced-custom-fields-acf-unauthenticated-arbitrary-post-modification-via-front-end-form-posttitle-and-postcontent-para","Advanced Custom Fields (ACF®) \u003C= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters","The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.","advanced-custom-fields",null,"\u003C=6.8.1","6.8.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-30 14:23:34","2026-05-31 02:28:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fddb2290d-d4bd-4f70-9fe9-927f49721811?source=api-prod",1,[22,23,24,25,26,27,28,29],"acf.php","assets\u002Fbuild\u002Fjs\u002Facf.min.js","includes\u002Fforms\u002Fform-front.php","lang\u002Facf-ar.l10n.php","lang\u002Facf-ar.po","lang\u002Facf-bg_BG.l10n.php","lang\u002Facf-bg_BG.po","lang\u002Facf-ca.l10n.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-8382 (ACF Post Modification)\n\n## 1. Vulnerability Summary\nThe Advanced Custom Fields (ACF) plugin (\u003C= 6.8.1) contains a missing authorization vulnerability in its front-end form handling logic. While `acf_form()` is designed to allow developers to create limited front-end editing interfaces, the processing logic in `includes\u002Fforms\u002Fform-front.php` fails to verify if the specific fields `_post_title` and `_post_content` were intended to be part of the form configuration. An unauthenticated attacker can inject these parameters into a legitimate form submission to modify the title and content of the post associated with that form.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The URL of any public-facing page where `acf_form()` is rendered.\n*   **Vulnerable Action:** POST request to the page URL containing ACF form submission data.\n*   **Parameters:** `acf[_post_title]` and `acf[_post_content]`.\n*   **Authentication:** None (unauthenticated), provided the page containing the form is public.\n*   **Preconditions:** A post must be \"bound\" to a front-end `acf_form()`. This happens when `acf_form()` is called with a specific `post_id` or when it defaults to the current loop's post.\n\n## 3. Code Flow\n1.  **Entry Point:** When a user submits an ACF form, the request is processed during WordPress initialization (typically `wp_loaded`).\n2.  **Registration:** In `includes\u002Fforms\u002Fform-front.php`, `acf_form_front::validate_save_post()` is called via the `acf\u002Fvalidate_save_post` hook.\n3.  **Field Injection:** `validate_save_post()` calls `get_default_fields()`, which returns definitions for `_post_title` and `_post_content`.\n4.  **Local Field Registration:** The function iterates through these defaults. If `$_POST['acf']['_post_title']` is set, it calls `acf_add_local_field()`. This effectively \"whitelists\" the injected field for the current request execution.\n5.  **Processing:** Later, `acf_form_front::pre_save_post()` is triggered via the `acf\u002Fpre_save_post` filter.\n6.  **Data Extraction:** Inside `pre_save_post()`, the code checks `isset( $_POST['acf']['_post_title'] )`. If present, it extracts the value using `acf_extract_var()` and assigns it to `$save['post_title']`.\n7.  **Post Update:** The `$save` array is eventually passed to `wp_update_post()`, committing the changes to the database.\n\n## 4. Nonce Acquisition Strategy\nACF front-end forms require a nonce for submission. The nonce and form configuration are rendered into the HTML.\n\n1.  **Identify the Form:** Navigate to the page containing the `acf_form()`.\n2.  **Scrape Nonce and Settings:**\n    *   The nonce is stored in a hidden input field: `\u003Cinput type=\"hidden\" name=\"_acf_nonce\" value=\"[NONCE_VALUE]\">`.\n    *   The encrypted\u002Fencoded form settings are in: `\u003Cinput type=\"hidden\" name=\"_acf_form\" value=\"[ENCODED_SETTINGS]\">`.\n3.  **Browser Evaluation:**\n    ```javascript\n    \u002F\u002F Extract via browser_eval\n    const data = {\n        nonce: document.querySelector('input[name=\"_acf_nonce\"]')?.value,\n        form: document.querySelector('input[name=\"_acf_form\"]')?.value\n    };\n    return data;\n    ```\n4.  **Note:** The nonce action used by ACF for front-end forms is typically generated internally based on the form arguments. Since we are scraping it from a legitimate rendering, the action will match.\n\n## 5. Exploitation Strategy\n1.  **Preparation:** Identify a public page with an `acf_form`. Let's assume the URL is `http:\u002F\u002Flocalhost:8080\u002Fsubmit-ticket\u002F`.\n2.  **Capture Credentials:** Navigate to the page and extract the `_acf_nonce` and `_acf_form` values.\n3.  **Formulate Payload:**\n    *   `_acf_nonce`: [Extracted Value]\n    *   `_acf_form`: [Extracted Value]\n    *   `acf[_post_title]`: `VANDALIZED BY CVE-2026-8382`\n    *   `acf[_post_content]`: `This post content has been modified via unauthenticated parameter injection.`\n4.  **Execute Request:** Use `http_request` to send a POST request to the page URL.\n    *   **Method:** `POST`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:** `_acf_nonce=[NONCE]&_acf_form=[FORM]&acf[_post_title]=Vandalized&acf[_post_content]=Pwned`\n5.  **Verify:** Check if the post title has changed.\n\n## 6. Test Data Setup\nTo simulate a vulnerable environment:\n1.  **Create a Target Post:**\n    ```bash\n    wp post create --post_type=post --post_title=\"Original Title\" --post_content=\"Original Content\" --post_status=publish\n    # Assume this returns ID 123\n    ```\n2.  **Create a Public Form Page:** Use a PHP snippet (e.g., via a custom page template or a plugin that allows PHP) to call `acf_form()`.\n    ```php\n    \u002F\u002F Example PHP to be placed in a page template\n    acf_form_head(); \u002F\u002F Required at the top of the file\n    acf_form([\n        'post_id' => 123,\n        'fields'  => [], \u002F\u002F Intentionally empty to show that injection works regardless of displayed fields\n        'submit_value' => 'Update'\n    ]);\n    ```\n3.  **Ensure Accessibility:** Ensure the page is published and accessible to logged-out users.\n\n## 7. Expected Results\n*   The `http_request` should return a `302 Redirect` (standard ACF behavior after successful submission) or a `200 OK` with a \"Post updated\" message.\n*   The post with the target ID should have its `post_title` changed to the injected value.\n\n## 8. Verification Steps\n1.  **Check Post State:**\n    ```bash\n    wp post get 123 --field=post_title\n    wp post get 123 --field=post_content\n    ```\n2.  **Confirmation:** If the output matches the injected payload, the vulnerability is confirmed.\n\n## 9. Alternative Approaches\n*   **Honeypot Bypass:** If the form fails, check if the honeypot `_validate_email` (found in `get_default_fields()`) is causing a rejection. Ensure `acf[_validate_email]` is sent as an empty string or omitted.\n*   **Query String Nonce:** Some ACF configurations might look for the nonce in the URL if not in the POST body, though this is rare for forms.\n*   **Multiple Form IDs:** If a page has multiple `acf_form()` calls, ensure the `_acf_form` settings parameter matches the specific form instance targeting the desired `post_id`.","Advanced Custom Fields (ACF) up to 6.8.1 is vulnerable to unauthenticated post modification. This occurs because front-end forms (acf_form) do not verify if internal fields like '_post_title' and '_post_content' are explicitly enabled in the form configuration, allowing attackers to inject these parameters and overwrite post data.","\u002F* includes\u002Fforms\u002Fform-front.php:236 *\u002F\nfunction validate_save_post() {\n\n\t\u002F\u002F register field if isset in $_POST\n\tforeach ( $this->get_default_fields() as $k => $field ) {\n\n\t\t\u002F\u002F bail early if no in $_POST\n\t\tif ( ! isset( $_POST['acf'][ $k ] ) ) { \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.\n\t\t\tcontinue;\n\t\t}\n\n\t\t\u002F\u002F register\n\t\tacf_add_local_field( $field );\n\t}\n---\n\u002F* includes\u002Fforms\u002Fform-front.php:278 *\u002F\nfunction pre_save_post( $post_id, $form ) {\n\t\u002F\u002F ...\n\t\u002F\u002F save post_title\n\tif ( isset( $_POST['acf']['_post_title'] ) ) {\n\t\t$save['post_title'] = acf_extract_var( $_POST['acf'], '_post_title' ); \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.\n\t}\n\n\t\u002F\u002F save post_content\n\tif ( isset( $_POST['acf']['_post_content'] ) ) {\n\t\t$save['post_content'] = acf_extract_var( $_POST['acf'], '_post_content' ); \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.\n\t}\n\t\u002F\u002F ...","--- includes\u002Fforms\u002Fform-front.php\n+++ includes\u002Fforms\u002Fform-front.php\n@@ -278,11 +278,11 @@\n \t\t\t\u002F\u002F phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().\n \t\t\t\u002F\u002F save post_title\n-\t\t\tif ( isset( $_POST['acf']['_post_title'] ) ) {\n+\t\t\tif ( isset( $_POST['acf']['_post_title'] ) && ! empty( $form['post_title'] ) ) {\n \t\t\t\t$save['post_title'] = acf_extract_var( $_POST['acf'], '_post_title' ); \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.\n \t\t\t}\n \n \t\t\t\u002F\u002F save post_content\n-\t\t\tif ( isset( $_POST['acf']['_post_content'] ) ) {\n+\t\t\tif ( isset( $_POST['acf']['_post_content'] ) && ! empty( $form['post_content'] ) ) {\n \t\t\t\t$save['post_content'] = acf_extract_var( $_POST['acf'], '_post_content' ); \u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.\n \t\t\t}","1. Identify a public WordPress page that renders an ACF front-end form using acf_form().\n2. Extract the required hidden field values from the HTML source: `_acf_nonce` (the security token) and `_acf_form` (the encoded form configuration).\n3. Prepare a POST request to the page's URL containing the extracted `_acf_nonce` and `_acf_form` values.\n4. Inject the malicious parameters `acf[_post_title]` and `acf[_post_content]` into the POST body with the desired modified content.\n5. Send the request. The plugin processes the submission, identifies the injected fields as 'default' fields, and updates the post associated with the form ID regardless of whether the developer intended to allow title or content edits.","gemini-3-flash-preview","2026-06-04 14:55:20","2026-06-04 14:55:58",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags"]