PatchSiren cyber security CVE debrief
CVE-2026-8382 wpengine CVE debrief
The Advanced Custom Fields (ACF®) WordPress plugin contains an authorization bypass vulnerability affecting versions up to and including 6.8.1. The plugin fails to properly verify user authorization before processing form submissions on publicly accessible acf_form() instances. Unauthenticated attackers can inject arbitrary values through the _post_title and _post_content parameters to overwrite post titles and content of any post bound to such forms. The vulnerability stems from missing authorization checks in the front-end form processing logic. A changeset (3549586) has been committed to address the issue in the plugin's form-front.php file. The CVSS 3.1 vector indicates network attack vector with low attack complexity, no privileges required, no user interaction, and low integrity impact with no confidentiality or availability impact.
- Vendor
- wpengine
- Product
- Advanced Custom Fields (ACF®)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-31
- Original CVE updated
- 2026-05-31
- Advisory published
- 2026-05-31
- Advisory updated
- 2026-05-31
Who should care
WordPress site administrators using Advanced Custom Fields plugin versions ≤6.8.1, particularly those exposing acf_form() instances with post editing capabilities to public or unauthenticated users. Security teams monitoring WordPress plugin vulnerabilities and developers implementing custom front-end forms with ACF.
Technical summary
The vulnerability exists in the front-end form handling of the Advanced Custom Fields plugin. When acf_form() is configured with public accessibility, the form submission handler at includes/forms/form-front.php fails to validate whether the submitting user has proper authorization to modify the targeted post. The _post_title and _post_content parameters are processed without adequate authorization checks, allowing parameter injection to overwrite arbitrary post fields. The fix in changeset 3549586 modifies the authorization validation logic in form-front.php to properly restrict post modification capabilities.
Defensive priority
medium
Recommended defensive actions
- Upgrade Advanced Custom Fields plugin to a version newer than 6.8.1 as soon as a patched release is available
- Review all publicly accessible acf_form() instances for unauthorized post modifications
- Implement additional authorization checks at the application level for front-end form submissions that modify post content
- Monitor WordPress audit logs for unexpected post_title or post_content changes from unauthenticated sources
- Consider temporarily restricting public access to acf_form() instances that allow post editing until patching is complete
Evidence notes
Vulnerability confirmed by Wordfence security advisory. Source references include specific line reference in ACF 6.8.0 form-front.php at line 243, a committed changeset (3549586) modifying the same file, and Wordfence threat intelligence entry. CWE-862 (Missing Authorization) classified as primary weakness. NVD status shows 'Received' indicating initial entry processing.
Official resources
2026-05-31