[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxE4M-3eE_1TO7Wm0nmjwmIC-3kYt_PNPwxyo67KX8cA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":40,"poc_video_id":9,"poc_summary":41,"poc_steps":42,"poc_tested_at":43,"poc_wp_version":44,"poc_php_version":45,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":46,"poc_model_used":9,"poc_verification_depth":9,"source_links":47},"CVE-2026-4812","advanced-custom-fields-acf-unauthenticated-missing-authorization-to-arbitrary-postpage-disclosure-via-ajax-field-query-p","Advanced Custom Fields (ACF®) \u003C= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post\u002FPage Disclosure via AJAX Field Query Parameters","The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post\u002FPage Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft\u002Fprivate posts, restricted post types, and other data that should be restricted by field configuration.","advanced-custom-fields",null,"\u003C=6.7.0","6.7.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-14 12:58:08","2026-04-15 01:25:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F51e3a976-a1a3-411a-b88c-f1cb2aa8d5eb?source=api-prod",1,[22,23,24,25,26,27,28,29],"acf.php","includes\u002Facf-bidirectional-functions.php","includes\u002Facf-field-functions.php","includes\u002Facf-field-group-functions.php","includes\u002Facf-form-functions.php","includes\u002Facf-helper-functions.php","includes\u002Facf-hook-functions.php","includes\u002Facf-input-functions.php","researched",false,3,"# Research Plan: ACF Unauthenticated Private Post Disclosure (CVE-2026-4812)\n\n## 1. Vulnerability Summary\nThe Advanced Custom Fields (ACF) plugin (\u003C= 6.7.0) contains a missing authorization vulnerability in its AJAX field query endpoints. These endpoints (primarily `acf\u002Fajax\u002Fquery`) are designed to facilitate searching for posts, terms, or users within ACF fields like **Relationship**, **Post Object**, or **User**.\n\nThe vulnerability exists because the AJAX handler accepts filter parameters (such as `post_status`, `post_type`, or `taxonomy`) directly from the `$_POST` request and uses them to override the predefined restrictions configured for the specific ACF field. Because these endpoints can be accessed by unauthenticated users if an ACF form is displayed on the frontend, an attacker can manipulate these parameters to query and disclose information about draft posts, private posts, or restricted post types that the field settings would normally forbid.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `acf\u002Fajax\u002Fquery` (This is the primary unified AJAX endpoint for field queries in ACF 6.x).\n- **Vulnerable Parameters**: `post_status`, `post_type`, `taxonomy`.\n- **Authentication**: Unauthenticated (if the site has a frontend `acf_form()` or a public-facing ACF field).\n- **Preconditions**: \n    1. An ACF Field Group must exist containing a field type that uses AJAX search (e.g., **Post Object** or **Relationship**).\n    2. The field must be rendered on a frontend page accessible to the attacker (usually via `acf_form()` or the `[acf_form]` shortcode).\n\n## 3. Code Flow\n1. **Frontend Initiation**: A user visits a page containing an ACF field with `ajax: 1` enabled (default for Relationship\u002FPost Object).\n2. **AJAX Request**: When the user types in the search box, the ACF JavaScript sends a POST request to `admin-ajax.php?action=acf\u002Fajax\u002Fquery`.\n3. **Nonce Verification**: The handler checks `check_ajax_referer('acf_nonce', 'nonce')`.\n4. **Field Loading**: The server-side logic calls `acf_get_field( $_POST['field_key'] )` (found in `includes\u002Facf-field-functions.php`) to retrieve the configured restrictions.\n5. **Parameter Merging (The Sink)**: The handler prepares arguments for `WP_Query`. It takes the restrictions from the `$field` array (e.g., `$field['post_status'] = 'publish'`) but merges them with values provided in `$_POST`.\n6. **Vulnerability**: Since there is no authorization check to see if the current user is allowed to override these filters, providing `post_status=private` in the POST request overrides the field's hardcoded requirement for `publish`, allowing `WP_Query` to return private data.\n\n## 4. Nonce Acquisition Strategy\nACF localizes its configuration and nonces into a global JavaScript object named `acf`.\n\n1. **Setup**: Create a public page containing an `acf_form`.\n2. **Navigation**: Use `browser_navigate` to visit the page.\n3. **Extraction**: Use `browser_eval` to extract the unified ACF nonce and the specific field key needed for the query.\n\n**JavaScript to execute:**\n```javascript\n\u002F\u002F Get the unified ACF nonce\nconst nonce = acf.get('nonce');\n\n\u002F\u002F Get the field key from the first Post Object or Relationship field on the page\nconst fieldKey = jQuery('.acf-field[data-type=\"post_object\"], .acf-field[data-type=\"relationship\"]').first().data('key');\n\nreturn { nonce, fieldKey };\n```\n\n## 5. Exploitation Strategy\n### Step 1: Discover Field Key and Nonce\nNavigate to the page where the ACF form is rendered and run the extraction script above.\n\n### Step 2: Perform Unauthorized Query\nSend an unauthenticated `POST` request to `admin-ajax.php` using the `http_request` tool.\n\n**Request Details:**\n- **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=acf\u002Fajax\u002Fquery\n  &nonce=[EXTRACTED_NONCE]\n  &field_key=[EXTRACTED_FIELD_KEY]\n  &s=[SEARCH_TERM]\n  &post_status=private,draft,trash,any\n  ```\n\n### Step 3: Parse Results\nThe response will be a JSON object containing a `results` array. If the exploit is successful, this array will contain the titles and IDs of private\u002Fdraft posts that match the search term `s`.\n\n## 6. Test Data Setup\nTo verify the vulnerability, the following environment must be prepared:\n\n1. **Target Content**:\n   - Create a post with `post_status` set to `private` titled \"SECRET_DATA_EXPOSED\".\n   - Create a post with `post_status` set to `draft` titled \"CONFIDENTIAL_DRAFT\".\n2. **ACF Configuration**:\n   - Create a Field Group.\n   - Add a **Post Object** field (Label: \"Search Posts\", Name: \"search_posts\").\n   - Configure the field settings: `Filter by Post Status` = `Published` (this is the restriction we will bypass).\n   - Set the Field Group location to `Page == All`.\n3. **Frontend Display**:\n   - Register a simple shortcode in `functions.php` to render the ACF form:\n     ```php\n     add_shortcode('test_acf_form', function() {\n         acf_form_head();\n         acf_form(['post_id' => 'new_post', 'field_groups' => [ [GROUP_ID] ]]);\n     });\n     ```\n   - Create a public page with the content `[test_acf_form]`.\n\n## 7. Expected Results\n- **Unpatched Version (\u003C= 6.7.0)**: The AJAX response returns the private and draft posts in the `results` list.\n- **Patched Version (6.7.1)**: The server ignores the `post_status` parameter in the `POST` body if it exceeds the field's configuration, or it returns an error\u002Fempty results if the user lacks the `read_private_posts` capability.\n\n## 8. Verification Steps\nAfter the HTTP exploit attempt, verify the results:\n1. Check the HTTP response status (should be 200).\n2. Check the JSON body for the string `SECRET_DATA_EXPOSED`.\n3. Use WP-CLI to confirm the post is indeed private:\n   `wp post list --post_status=private --fields=post_title,ID`\n\n## 9. Alternative Approaches\nIf `acf\u002Fajax\u002Fquery` is not the active endpoint (depending on specific Pro features or legacy settings), check for:\n- `action=acf\u002Ffields\u002Fpost_object\u002Fquery`\n- `action=acf\u002Ffields\u002Frelationship\u002Fquery`\n\nThese follow the same logic: they check a nonce and then process query arguments. The payload remains the same: inject `post_status` or `post_type` into the POST body to override field-level restrictions.","Advanced Custom Fields (ACF) versions up to 6.7.0 are vulnerable to unauthenticated information disclosure via AJAX field query endpoints. Attackers can manipulate request parameters to override field-level search restrictions, allowing them to enumerate and view titles\u002FIDs of private or draft posts.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.7.0\u002Facf.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.7.1\u002Facf.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.7.0\u002Facf.php\t2025-12-03 17:16:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-custom-fields\u002F6.7.1\u002Facf.php\t2026-03-03 18:16:20.000000000 +0000\n@@ -9,7 +9,7 @@\n  * Plugin Name:       Advanced Custom Fields\n  * Plugin URI:        https:\u002F\u002Fwww.advancedcustomfields.com\n  * Description:       Customize WordPress with powerful, professional and intuitive fields.\n- * Version:           6.7.0\n+ * Version:           6.7.1\n  * Author:            WP Engine\n  * Author URI:        https:\u002F\u002Fwpengine.com\u002F?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields\n  * Text Domain:       acf\n@@ -22,7 +22,7 @@\n  * @package ACF\n  * @author  WP Engine\n  *\n- * © 2025 Advanced Custom Fields (ACF®). All rights reserved.\n+ * © 2026 Advanced Custom Fields (ACF®). All rights reserved.\n  * \"ACF\" is a trademark of WP Engine.\n  * Licensed under the GNU General Public License v2 or later.\n  * https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n@@ -44,7 +44,7 @@\n \t\t *\n \t\t * @var string\n \t\t *\u002F\n-\t\tpublic $version = '6.7.0';\n+\t\tpublic $version = '6.7.1';","The exploit targets the acf\u002Fajax\u002Fquery endpoint by abusing the lack of authorization checks on search filters. \n\n1.  **Discovery**: Navigate to a public page containing an ACF form (Post Object or Relationship field) and extract the unified 'acf_nonce' from the global JavaScript 'acf' object and the target field's key from its 'data-key' attribute.\n2.  **Request Construction**: Send an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php?action=acf\u002Fajax\u002Fquery`.\n3.  **Payload**: Include the extracted nonce and field key, a search term 's', and a manipulated 'post_status' parameter set to 'private,draft,trash,any'.\n4.  **Information Disclosure**: The server merges these unauthenticated parameters into the WP_Query arguments, overriding the field's configuration and returning sensitive post titles and IDs in the JSON response.","gemini-3-flash-preview","2026-04-16 15:45:04","2026-04-16 15:45:36","failed","All models in the chain (gemini-3-flash-preview, claude-opus-4-7) failed to produce a verified exploit.",[],"2026-04-17 19:27:58","6.7","8.3",true,{"type":48,"vulnerable_version":49,"fixed_version":11,"vulnerable_browse":50,"vulnerable_zip":51,"fixed_browse":52,"fixed_zip":53,"all_tags":54},"plugin","6.7.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags\u002F6.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields.6.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields\u002Ftags"]