What the vulnerability does
01Description
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site.
Explanation of Vulnerability in Simple Terms
02Summary
ACF to REST API versions 3.3.4 and earlier contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with low-level site credentials can alter content or settings through the REST API without proper permission checks. This affects sites using the plugin with multiple user roles or restricted editing permissions.
What an attacker can do
03Attacker Capabilities
Modify site data or settings via REST API without proper authorization checks.
Potential impact on your site
04Site Impact
Users with limited editing permissions may be able to alter content or settings beyond their intended scope.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
January 7, 2026
CVE published
April 8, 2026
Record updated