{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4066", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T18:43:28.699Z", "datePublished": "2026-03-23T22:25:39.149Z", "dateUpdated": "2026-04-08T17:05:11.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:11.962Z"}, "affected": [{"vendor": "inc2734", "product": "Smart Custom Fields", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post."}], "title": "Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "timeline": [{"time": "2026-03-12T18:59:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T09:49:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:58:26.021876Z", "id": "CVE-2026-4066", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:59:08.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:58:26.021876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:58:57.252Z"}}], "cna": {"title": "Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search", "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "inc2734", "product": "Smart Custom Fields", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T18:59:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T09:49:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2"}], "descriptions": [{"lang": "en", "value": "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-23T22:25:39.149Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4066", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:59:08.877Z", "dateReserved": "2026-03-12T18:43:28.699Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-23T22:25:39.149Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post."}, {"lang": "es", "value": "El plugin Smart Custom Fields para WordPress es vulnerable al acceso no autorizado de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n relational_posts_search() en todas las versiones hasta la 5.0.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, lean contenido de publicaciones privadas y borradores de otros autores a trav\u00e9s de la acci\u00f3n AJAX smart-cf-relational-posts-search. La funci\u00f3n consulta publicaciones con post_status=any y devuelve objetos WP_Post completos, incluyendo post_content, pero solo comprueba la capacidad gen\u00e9rica edit_posts en lugar de verificar si el usuario solicitante tiene permiso para leer cada publicaci\u00f3n individual."}], "id": "CVE-2026-4066", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-23T23:17:13.227", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Smart Custom Fields", "source": "cna", "vendor": "inc2734"}, "product": "smart_custom_fields", "vendor": "inc2734"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T03:56:12.305012+00:00", "value": {"mitigation_remediation": ["Upgrade the Smart Custom Fields plugin to the latest available version that fixes the missing capability check.", "If an update is not immediately possible, disable the plugin or the relational posts search feature to prevent the AJAX endpoint from being accessible to Contributors.", "Verify that WordPress user roles are correctly configured so that only administrators can read private posts."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the inc2734 Smart Custom Fields plugin, versions up to and including 5.0.6, which is distributed as a WordPress plugin. Any WordPress installation that has this plugin activated at these or earlier versions is susceptible until the functionality is updated or removed.", "description_and_impact": "The Smart Custom Fields plugin for WordPress contains a missing capability check in the relational_posts_search() function. As a result, authenticated users with Contributor-level access or higher can trigger the smart-cf-relational-posts-search AJAX action and retrieve full WP_Post objects, including post_content, for posts with post_status=any. This allows such users to read private and draft content belonging to other authors, thereby exposing sensitive information that should be restricted.", "risk_and_exploitability": "With a CVSS score of 4.3 the issue is considered moderate but still measurable; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticated access with Contributor or higher privileges and send a request to the AJAX endpoint; no special local conditions or exploits are required. The impact is limited to confidentiality loss of unpublished post content; however, if an attacker gains broader privileges the exposure could be significant."}}}}, "created": "2026-03-24T10:30:07.864777+00:00", "updated": "2026-03-25T20:36:15.602365+00:00", "vendors": ["inc2734", "inc2734$PRODUCT$smart_custom_fields", "wordpress", "wordpress$PRODUCT$wordpress"]}