Vulnerabilities > CVE-2020-13700 - Authorization Bypass Through User-Controlled Key vulnerability in ACF to Rest API Project ACF to Rest API
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
- https://github.com/airesvsg/acf-to-rest-api
- https://wordpress.org/plugins/acf-to-rest-api/#developers
- https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
- https://wordpress.org/plugins/acf-to-rest-api/#developers
- https://github.com/airesvsg/acf-to-rest-api