mediumCVE-2026-12428

Blocks for ACF Fields WordPress Plugin Unauthorized Data Access Vulnerability

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_all_values() function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permission_callback only verifies the generic publish_posts capability and the handler passes a user-supplied id parameter directly to get_field_objects() without verifying that the requesting user is authorized to read the target object. This makes it possible for authenticated attackers, with Author-level access and above, to read ACF field values from arbitrary posts (including private posts, drafts, posts by other users, and other ACF-supported objects) that they should not have access to.

ProductBlocks for ACF Fields
CVSS6.5
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Blocks for ACF Fields should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Blocks for ACF Fields up to and including 1.6.2

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Blocks for ACF Fields is affected by CVE-2026-12428. Vulnerable versions up to and including 1.6.2 expose data because author-level users can read ACF values from objects they should not be allowed to access. Update or disable the plugin on public WordPress sites and review affected records for unauthorized access.

  1. Inventory every WordPress site where Blocks for ACF Fields is installed and enabled.
  2. Update Blocks for ACF Fields beyond 1.6.2 when a vendor-fixed release is available.
  3. Disable the plugin temporarily if the affected REST endpoint or workflow is reachable and no fixed version is available.
  4. Restrict the vulnerable REST route with a WAF or server rule until patching is complete.
  5. Review WordPress user roles and remove unnecessary Author, Host, or elevated plugin roles.
  6. Audit access logs for enumeration of post IDs, booking IDs, object IDs, or plugin REST endpoints.
  7. Clear WordPress, object, page, and CDN caches after remediation.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Blocks for ACF Fields is no longer running version 1.6.2 or older.
  • Test the affected REST endpoint as the lowest relevant role in staging and confirm unauthorized records are denied.
  • Verify legitimate editor, host, or administrator workflows still function after the fix.
  • Review sensitive post, ACF, or booking records for suspicious access during the exposure window.
  • Run a Fixnx scan and confirm public WordPress exposure signals are rechecked.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-12428?

Blocks for ACF Fields versions listed as affected should be reviewed: Blocks for ACF Fields up to and including 1.6.2.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.