CVE-2026-12428 in Blocks for ACF Fields Plugin
Summary
by MITRE • 07/09/2026
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The Blocks for ACF Fields plugin represents a critical security vulnerability in the WordPress ecosystem that undermines data confidentiality and access controls. This flaw exists within the REST API endpoint at /wp-json/acf-field-blocks/v1/values where the get_all_values() function fails to implement proper capability verification. The vulnerability stems from an insufficient permission_callback mechanism that only validates the generic publish_posts capability rather than implementing granular access controls specific to the targeted content. This design oversight creates a path for unauthorized data extraction that directly violates fundamental security principles of least privilege and access control enforcement.
The technical implementation of this vulnerability demonstrates a classic insufficient authorization flaw where user-supplied parameters are processed without adequate validation of the requesting user's entitlements. The handler passes a user-provided id parameter directly to get_field_objects() function without performing any verification that the authenticated user possesses the necessary permissions to access the specified post or content object. This pattern represents a CWE-285 vulnerability classification related to insufficient authorization checks, where the system fails to properly validate that an actor has appropriate rights to perform the requested operation on the target resource.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential information disclosure across multiple content types within WordPress. Authenticated attackers with Author-level privileges or higher can access ACF field values from private posts, drafts, posts authored by other users, and various ACF-supported objects that should remain restricted. This unauthorized access capability allows adversaries to gather sensitive information that may include proprietary content, personal data, internal communications, or strategic business information. The vulnerability affects all versions up to and including 1.6.2, indicating a prolonged window during which systems remained exposed to this threat vector.
From a defensive perspective, this vulnerability aligns with ATT&CK technique T1213.002 for Data from Information Repositories and represents a privilege escalation path that could enable more sophisticated attacks. Organizations should immediately update to patched versions of the Blocks for ACF Fields plugin while implementing additional monitoring for unusual REST API access patterns. The remediation approach should focus on strengthening the permission_callback implementation to verify specific capabilities such as edit_posts or edit_others_posts depending on the target content type, rather than relying on generic publishing permissions. Security teams must also conduct comprehensive audits of all custom REST endpoints to identify similar authorization gaps that could provide unauthorized access to sensitive data within WordPress installations.
The vulnerability demonstrates how seemingly minor oversights in capability verification can create significant security implications in content management systems where multiple user roles and content types interact dynamically. This flaw exemplifies the importance of implementing proper access control mechanisms at every layer of application logic, particularly when dealing with REST API endpoints that serve as potential attack vectors for data exfiltration and information gathering activities.