vulnerability

WordPress Plugin: advanced-custom-fields: CVE-2026-8382: Missing Authorization

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

May 30, 2026

Added

Jun 1, 2026

Modified

Jun 1, 2026

Description

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.

Solution

advanced-custom-fields-plugin-cve-2026-8382

References

https://www.cve.org/CVERecord?id=CVE-2026-8382
https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-33483
CVE-2026-8382
https://attackerkb.com/topics/CVE-2026-8382
CWE-862
EUVD-EUVD-2026-33483

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report