Insecure Direct Object Reference in acf-to-rest-api Plugin for WordPress
CVE-2020-13700

7.5HIGH

Key Information:

Vendor

Wordpress
Status
Acf To Rest Api
Vendor
CVE Published:
24 June 2020

What is CVE-2020-13700?

The acf-to-rest-api plugin for WordPress, up to version 3.1.0, is susceptible to an insecure direct object reference that allows attackers to manipulate permalinks. This could potentially expose sensitive information stored in the wp_options table, including critical data such as login credentials. Attackers can exploit this vector by making specific requests to wp-json/acf/v3/options/, leading to unauthorized access to sensitive settings.

References

https://github.com/airesvsg/acf-to-rest-api
x_refsource_MISC
https://wordpress.org/plugins/acf-to-rest-api/#developers
x_refsource_MISC
https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c...
x_refsource_MISC

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.