CVE-2024-3072 MEDIUM

CVE-2024-3072: ACF Front End Editor <= 2.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update

Vendor Horiondigital
Product ACF Front End Editor
Weakness CWE-862 · Missing authorization
Published April 30, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data.

Key dates

02Disclosure timeline

April 30, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-32126 WordPress SALERT plugin <= 1.2.1 - Broken Access Control vulnerability CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups CVE-2025-68596 WordPress Bit Assist plugin <= 1.5.11 - Broken Access Control vulnerability CVE-2023-47788 WordPress Jetpack plugin < 12.7 - Contributor+ Broken Access Control vulnerability CVE-2024-25092 WordPress NextMove Lite plugin <= 2.17.0 - Subscriber+ Arbitrary Plugin Installation/Activation vulnerability