CVE-2020-13700

Vulnerability

Overview

The acf-to-rest-api plugin for WordPress, up to version 3.1.0, contains an insecure direct object reference (IDOR) vulnerability. The plugin exposes REST API endpoints for Advanced Custom Fields (ACF) data, including a /wp-json/acf/v3/options/ path that handles site-wide ACF options. Due to insufficient access controls and permissive permalink handling, an unauthenticated attacker can send a crafted request to this endpoint and retrieve arbitrary rows from the wp_options database table [1][2].

Attack

Vector

The vulnerability is triggered by manipulating the URI path or overriding plugin parameters via $_GET parameters in the permalink structure. No authentication is required to exploit this issue. The attacker simply sends a GET request to the plugin's REST endpoint, which then returns sensitive configuration values stored in WordPress options, such as the site's login (username) and password hashes [1][2]. The attacker can enumerate all option keys due to the IDOR nature of the endpoint.

Impact

Successful exploitation allows an unauthenticated remote attacker to read sensitive information from the wp_options table, including but not limited to WordPress admin credentials (username and password hash), secret keys, and other security-sensitive settings. This could lead to complete site compromise, privilege escalation, and data theft [1].

Mitigation

Status

The acf-to-rest-api plugin has been closed on the WordPress plugin directory due to a security issue and is no longer available for download [4]. Users who have the plugin installed should immediately remove it and seek alternative ways to expose ACF data via the REST API, as no patched version has been released. The vulnerability is tracked as CVE-2020-13700 [1].