WordPress · cbravobernal · Jun 20, 2025 · Jun 20, 2025
diff --git a/includes/api/api-helpers.php b/includes/api/api-helpers.php
@@ -689,14 +689,31 @@ function acf_verify_nonce( $value ) {
  *
  * @param string $nonce  The nonce to check.
  * @param string $action The action of the nonce.
+ * @param bool   $action_is_field Whether the action is a field key or not. Defaults to false.
  * @return boolean
  */
-function acf_verify_ajax( $nonce = '', $action = '' ) {
+function acf_verify_ajax( $nonce = '', $action = '', $action_is_field = false ) {
+
 	// Bail early if we don't have a nonce to check.
 	if ( empty( $nonce ) && empty( $_REQUEST['nonce'] ) ) {
 		return false;
 	}
 
+	// Build the action if we're trying to validate a specific field nonce.
+	if ( $action_is_field ) {
+		if ( ! acf_is_field_key( $action ) ) {
+			return false;
+		}
+
+		$field = acf_get_field( $action );
+
+		if ( empty( $field['type'] ) ) {
+			return false;
+		}
+
+		$action = 'acf_field_' . $field['type'] . '_' . $action;
+	}
+
 	$nonce_to_check = ! empty( $nonce ) ? $nonce : $_REQUEST['nonce']; // phpcs:ignore WordPress.Security -- We're verifying a nonce here.
 	$nonce_action   = ! empty( $action ) ? $action : 'acf_nonce';
 

diff --git a/includes/fields/class-acf-field-repeater.php b/includes/fields/class-acf-field-repeater.php
@@ -1058,7 +1058,7 @@ public function ajax_get_rows() {
 				)
 			);
 
-			if ( ! acf_verify_ajax( $args['nonce'], $args['field_key'] ) ) {
+			if ( ! acf_verify_ajax( $args['nonce'], $args['field_key'], true ) ) {
 				$error = array( 'error' => __( 'Invalid nonce.', 'secure-custom-fields' ) );
 				wp_send_json_error( $error, 401 );
 			}