Medium severity5.3NVD Advisory· Published May 31, 2026· Updated Jun 1, 2026
CVE-2026-8382
CVE-2026-8382
Description
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=6.8.1+ 1 more
- (no CPE)range: <=6.8.1
- (no CPE)range: <=6.8.1
Patches
Vulnerability mechanics
References
3News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026
- WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026Vypr Intelligence · May 31, 2026