High

CVE-2025-12030

IDOR in ACF to REST API WordPress Plugin

Description

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the ACF to REST API WordPress plugin. This vulnerability allows unauthorized users to access or modify data belonging to other users by manipulating object references in API requests.

Technical Details

The vulnerability exists in the plugin's REST API endpoint handling. The plugin fails to properly validate user permissions when accessing Advanced Custom Fields (ACF) data through the REST API. An attacker can exploit this by directly referencing object IDs in API requests without proper authorization checks.

Attack Vector

The attack can be performed by sending crafted HTTP requests to the WordPress REST API endpoints exposed by the plugin. By enumerating object IDs and accessing them directly, an attacker can retrieve sensitive ACF data that should be restricted.

Vulnerability Characteristics

  • Authentication: Not required for exploitation
  • Attack Complexity: Low - can be exploited with basic HTTP requests
  • Privileges Required: None
  • User Interaction: None required

Impact Assessment

Successful exploitation of this vulnerability could lead to:

  • Data Disclosure: Unauthorized access to sensitive ACF data from other users or posts
  • Privacy Violations: Exposure of personally identifiable information (PII) stored in custom fields
  • Business Logic Bypass: Circumvention of intended access controls
  • Information Gathering: Reconnaissance for further attacks

The severity is rated as High due to the ease of exploitation and potential for data exposure in environments where ACF stores sensitive information.

Proof of Concept

A proof of concept demonstrating this vulnerability involves:

  1. Identifying the REST API endpoint exposed by the ACF to REST API plugin
  2. Enumerating valid object IDs through incremental requests
  3. Accessing ACF data for objects without proper authentication

Note: Detailed proof of concept code is withheld to prevent exploitation of unpatched systems.

Remediation Steps

For Site Administrators

  • Update immediately to version 3.3.0 or later
  • Review server logs for suspicious API access patterns
  • Audit ACF data that may have been exposed
  • Consider implementing rate limiting on REST API endpoints

For Plugin Developers

  • Implement proper authorization checks before returning ACF data
  • Validate user permissions for each requested object
  • Use WordPress's built-in capability checking functions
  • Consider implementing object-level access control

Disclosure Timeline

  • 2024-12-10: Vulnerability discovered during security assessment
  • 2024-12-12: Reported to plugin developer via responsible disclosure
  • 2024-12-28: Plugin developer confirmed the vulnerability
  • 2025-01-08: Patch released in version 3.3.0
  • 2025-01-15: CVE-2025-12030 assigned and publicly disclosed

References

Discovered by: Kai Aizen (SnailSploit)