ACF to REST API < 3.3.0 – Unauthenticated Arbitrary wp_options Disclosure | CVE 2020-13700

Description

The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wp_options table, such as a list of active plugins.

Proof of Concept

List all active plugins of the blog: GET /wp-json/acf/v3/options/a?id=active&field=plugins

Affects Plugins

acf-to-rest-api

Fixed in 3.3.0

References

CVE

CVE-2020-13700

URL

https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5

URL

https://github.com/airesvsg/acf-to-rest-api/issues/317

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

mariuszpoplwski

Verified

Yes

WPVDB ID

3ed9fa82-db22-48d6-b2f7-0ab8df45a068

Timeline

Publicly Published

2020-06-28 (about 3 years ago)

Added

2020-06-28 (about 3 years ago)

Last Updated

2020-06-29 (about 3 years ago)

Other

Published

Title

Published

2024-04-25

Title

Assistant – Every Day Productivity Apps < 1.4.9.2 - Unauthenticated Sensitive Information Exposure

Published

2024-04-22

Title

USPS Shipping for WooCommerce – Live Rates < 1.10.0 - Sensitive Information Exposure

Published

2024-04-29

Title

Media Cleaner: Clean your WordPress! < 6.7.3 - Unauthenticated Information Exposure

Published

2022-01-03

Title

Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure

Published

2022-10-17

Title

WP < 6.0.3 - Email Address Disclosure via wp-mail.php