MEDIUM 5.3

CVE-2026-8382: Advanced Custom Fields Authorization Bypass (ACF WordPress Plugin)

The Advanced Custom Fields (ACF) plugin for WordPress contains a flaw that allows anyone on the internet to modify the title and content of posts that use ACF forms, without needing to log in or have any special permissions. An attacker can inject malicious values into form fields to alter published content, potentially leading to defacement, misinformation, or reputational damage. All versions up to 6.8.1 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8382 is an authorization bypass vulnerability in ACF (CWE-862: Missing Authorization) affecting versions through 6.8.1. The plugin fails to validate user permissions before processing form submissions tied to acf_form() instances. Specifically, unauthenticated attackers can craft POST requests containing _post_title and _post_content parameters to overwrite post metadata on publicly accessible forms. The vulnerability requires no authentication, no user interaction, and has a network attack vector, resulting in a CVSS 3.1 score of 5.3 (Medium severity).

Business impact

Website defacement and content tampering pose immediate reputational risks, particularly for organizations publishing time-sensitive or regulated content. Attackers could inject malicious links, promotional content, or misleading information into live posts. While the vulnerability does not expose data or cause availability loss, the integrity compromise can erode user trust and trigger incident response overhead. Websites relying on ACF forms for managed content pipelines face operational disruption if remediation requires form reconfiguration.

Affected systems

Any WordPress installation running the Advanced Custom Fields plugin version 6.8.1 or earlier is vulnerable if it has one or more publicly accessible acf_form() instances. The risk is heightened for sites using ACF forms for guest submissions, user-generated content collection, or public-facing workflows. Private or restricted forms behind authentication are not directly exploitable via this vector.

Exploitability

Exploitation is straightforward: an attacker simply submits HTTP POST requests to a public form URL with crafted _post_title and _post_content parameters. No special tools, credentials, or user interaction are required. The low complexity and network accessibility make opportunistic attacks feasible, though the vulnerability was not added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication date.

Remediation

Immediately update the ACF plugin to a patched version released after 6.8.1. Verify the specific patched version against the official ACF plugin repository or vendor advisory. As an interim measure, restrict access to acf_form() instances using WordPress capabilities checks, require user authentication for all form submissions, or disable public forms until patching is complete. Review published posts for unauthorized modifications in the past 30–90 days.

Patch guidance

Check the official Advanced Custom Fields plugin changelog and WordPress plugin directory for versions released after June 2026 containing security fixes for this authorization bypass. Apply the patch through WordPress's automated plugin update mechanism or manual upload. After patching, clear any plugin caches and test form functionality on a staging environment before production deployment. Consider staggered rollout if the plugin is critical to your content workflow.

Detection guidance

Monitor Web Application Firewall (WAF) logs for suspicious POST requests to acf_form() endpoints containing _post_title or _post_content parameters from non-authenticated sources. Review WordPress post revision histories and audit logs for unexpected changes to post_title or post_content fields on forms known to be public-facing. Check for patterns of mass modifications occurring within short timeframes. Implement logging of all ACF form submissions with source IP and parameter contents.

Why prioritize this

Although scored MEDIUM (5.3) and not yet in active exploitation, this vulnerability should be prioritized because it affects content integrity on public-facing websites and requires no attacker credentials. Organizations with publicly accessible ACF forms should patch within 48–72 hours. Lower-risk deployments (forms behind authentication, staging environments, low-visibility sites) can follow standard patch cycles but should not be deferred indefinitely.

Risk score, explained

CVSS 3.1 score 5.3 reflects a network-accessible vulnerability with no authentication requirement, low attack complexity, and direct impact on content integrity (the 'I:L' in the vector). The score excludes data confidentiality and availability impact, which are not affected. The 'PR:N/UI:N' indicates no prerequisite permissions or user interaction—a core reason for the integrity concern despite the 'MEDIUM' label.

Frequently asked questions

What is an 'authorization bypass' and why does it matter here?

An authorization bypass occurs when an application fails to verify that a user has permission to perform an action. In this case, ACF did not check whether a form submitter had the right to edit posts, allowing unauthenticated attackers to modify any post linked to a public form. This is dangerous because content integrity is a fundamental trust mechanism for websites.

Do I need to be logged into WordPress to exploit this vulnerability?

No. The vulnerability explicitly allows unauthenticated attackers to submit requests. You do not need a WordPress account, administrative privileges, or any credentials. If a site has a public ACF form, the form is accessible to anyone on the internet.

What should I do if my site uses ACF forms?

First, update the plugin to the latest patched version. Next, review your site's published posts for suspicious title or content changes in recent weeks. If you cannot patch immediately, disable public ACF forms or add WordPress authentication checks to restrict form access to logged-in users only. Monitor access logs for unusual POST activity.

Is this vulnerability being actively exploited?

As of the advisory date, this vulnerability was not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, which tracks in-the-wild exploitation. However, the low barrier to exploitation means attackers could begin targeting sites without public disclosure of working exploits.

This analysis is based on the CVE-2026-8382 advisory published 2026-05-31 and updated 2026-06-17. Patch version numbers and specific remediation steps should be verified against the official Advanced Custom Fields plugin repository and vendor security advisories. This explainer is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their specific WordPress configurations and form deployment practices. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).