{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-8382","assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","state":"PUBLISHED","assignerShortName":"Wordfence","dateReserved":"2026-05-12T09:06:53.362Z","datePublished":"2026-05-31T02:28:00.276Z","dateUpdated":"2026-06-01T10:33:23.161Z"},"containers":{"cna":{"providerMetadata":{"orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence","dateUpdated":"2026-05-31T02:28:00.276Z"},"affected":[{"vendor":"wpengine","product":"Advanced Custom Fields (ACF®)","versions":[{"version":"0","status":"affected","lessThanOrEqual":"6.8.1","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request."}],"title":"Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters","references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb2290d-d4bd-4f70-9fe9-927f49721811?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/advanced-custom-fields/tags/6.8.0/includes/forms/form-front.php#L243"},{"url":"https://plugins.trac.wordpress.org/changeset/3549586/advanced-custom-fields/trunk/includes/forms/form-front.php"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-862 Missing Authorization","cweId":"CWE-862","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM"}}],"credits":[{"lang":"en","type":"finder","value":"Sarawut Poolkhet"}],"timeline":[{"time":"2026-05-30T14:23:34.000Z","lang":"en","value":"Disclosed"}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-01T10:32:13.854562Z","id":"CVE-2026-8382","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-01T10:33:23.161Z"}}]}}