Back to overview

CVE-2026-12428

MEDIUM
6.5
CVSS 3.1
Description
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.

Metadata

CVE ID
CVE-2026-12428
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-16 17:09 UTC
Published
2026-07-09 09:31 UTC
Last updated
2026-07-09 09:31 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
gamaup / Blocks for ACF Fields — Display Custom Fields in the Block Editor
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
gamaup Blocks for ACF Fields — Display Custom Fields in the Block Editor 0 ≤ 1.6.2
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Back to overview