🔐 CVE Alert

CVE-2026-12428

MEDIUM 6.5

Blocks for ACF Fields <= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via 'id' Parameter

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.

CWE CWE-862
Vendor gamaup
Product blocks for acf fields — display custom fields in the block editor
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for gamaup blocks for acf fields — display custom fields in the block editor

Be the first to know when new medium vulnerabilities affecting gamaup blocks for acf fields — display custom fields in the block editor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

gamaup / Blocks for ACF Fields — Display Custom Fields in the Block Editor
0 ≤ 1.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/fc48f75d-a2e8-49ea-9bfa-a27a61ff8a84?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L302 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L100 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.6.0/inc/class-rest.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L302 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L100 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/acf-field-blocks/tags/1.5.0/inc/class-rest.php#L296 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3587876%40acf-field-blocks&new=3587876%40acf-field-blocks

Credits

thinnawarth mathuros