ACF to REST API < 3.3.0 – Unauthenticated Arbitrary wp_options Disclosure | CVE 2020-13700

Description

The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wp_options table, such as a list of active plugins.

Proof of Concept

List all active plugins of the blog: GET /wp-json/acf/v3/options/a?id=active&field=plugins

Affects Plugins

acf-to-rest-api

Fixed in 3.3.0

References

CVE

CVE-2020-13700

URL

https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5

URL

https://github.com/airesvsg/acf-to-rest-api/issues/317

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

mariuszpoplwski

Verified

Yes

WPVDB ID

3ed9fa82-db22-48d6-b2f7-0ab8df45a068

Timeline

Publicly Published

2020-06-28 (about 5 years ago)

Added

2020-06-28 (about 5 years ago)

Last Updated

2020-06-29 (about 5 years ago)

Other

Published

Title

Published

2024-08-07

Title

Import and export users and customers < 1.26.9 - Unauthenticated Information Exposure

Published

2024-08-14

Title

ElementsKit Pro < 3.6.7 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2024-02-02

Title

Post Thumbnail Editor <= 2.4.8 - Sensitive Information Exposure

Published

2024-08-09

Title

Shared Files < 1.7.29 - Unauthenticated Sensitive Information Exposure

Published

2025-04-01

Title

ACF City Selector <= 1.17.0 - Unauthenticated Sensitive Information Exposure