CVE-2026-8382

Vulnerability

The Advanced Custom Fields (ACF) plugin for WordPress versions up to and including 6.8.1 fails to verify user authorization when processing form submissions. The acf_form() function renders front-end forms that include hidden fields _post_title and _post_content for posts bound to the form. An unauthenticated attacker can inject arbitrary values into these parameters, overwriting the title and content of any post that is associated with a publicly accessible ACF form instance [1][2][3].

Exploitation

An attacker needs no authentication or special privileges. They must identify a WordPress site running ACF ≤6.8.1 that has a publicly accessible acf_form() instance (e.g., on a front-end page). The attacker then submits a POST request to that form's action URL, injecting desired values into the _post_title and _post_content parameters. The plugin processes the submission without verifying that the user is authorized to edit the target post [1][2].

Impact

Successful exploitation allows an unauthenticated attacker to modify the title and content of any post that is bound to the exposed ACF form. This can lead to defacement, injection of malicious content, or disruption of site integrity. The attacker does not gain full administrative access but can alter post data without permission [1].

Mitigation

The vulnerability is fixed in ACF version 6.8.2, released on 2026-05-26 [1]. Users should update to 6.8.2 or later immediately. For sites that cannot update, ensure that acf_form() is not used on publicly accessible pages, or implement additional access controls (e.g., nonce verification) as a workaround. No KEV listing is currently available.