What the vulnerability does
01Description
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.
Explanation of Vulnerability in Simple Terms
02Summary
Smart Custom Fields versions 5.0.6 and earlier do not properly check user permissions before allowing access to certain data. A logged-in user with low privileges can read sensitive information they should not have access to. The vulnerability requires an active user account but no special interaction from the victim.
What an attacker can do
03Attacker Capabilities
Read sensitive data they should not have permission to access.
Potential impact on your site
04Site Impact
Unauthorized users can view private or restricted custom field data stored in your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
March 23, 2026
CVE published
April 8, 2026
Record updated
