I realize this is an old thread, but not sure if there’s a better place to post. The behavior described by mkeys is still present, and while I understand it is a fundamental part of the functionality of acf_form, it is difficult to use acf_form in good conscience with this vulnerability. In addition to manipulating post authors, etc, it is possible to edit the data of other users in this manner using the user_$current_user->ID.
Is there is a practical solution to mitigate this issue? Or is there a reason I am missing that we shouldn’t be concerned with this?
I would love to use the acf_form functionality rather than implement a separate form plugin or writing a separate plugin from scratch.
