CVE-2025-12030
📋 TL;DR
The ACF to REST API WordPress plugin has an insecure direct object reference vulnerability that allows authenticated users with Contributor-level access or higher to modify Advanced Custom Fields data they shouldn't have permission to access. This includes editing posts they don't own, user accounts, comments, taxonomy terms, and global options. Any WordPress site using vulnerable versions of this plugin is affected.
💻 Affected Systems
- ACF to REST API WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could modify global WordPress options, compromise user accounts, deface content, or manipulate critical site configuration through unauthorized ACF field modifications.
Likely Case
Unauthorized content modification, user profile tampering, or comment manipulation by authenticated users exceeding their intended permissions.
If Mitigated
Limited to authorized users only performing actions within their proper scope, with proper capability checks preventing unauthorized object access.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher) and knowledge of object IDs. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.5 or later
Vendor Advisory: https://wordpress.org/plugins/acf-to-rest-api/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ACF to REST API' and click 'Update Now'. 4. Alternatively, download version 3.3.5+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable REST API endpoints
allTemporarily disable the vulnerable REST API endpoints until patching is possible
Add to wp-config.php: define('ACF_TO_REST_API_DISABLED', true);
Restrict user roles
allTemporarily remove Contributor and Author roles from untrusted users
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to /wp-json/acf/v3/* endpoints
- Enable detailed logging for all REST API requests and monitor for unauthorized ACF modifications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ACF to REST API version. If version is 3.3.4 or lower, you are vulnerable.Check Version:
wp plugin list --name=acf-to-rest-api --field=versionVerify Fix Applied:
Verify plugin version is 3.3.5 or higher in WordPress admin panel. Test authenticated API calls to /wp-json/acf/v3/ endpoints with insufficient permissions should return 403 errors.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to PUT/POST requests at /wp-json/acf/v3/* from Contributor/Author roles
- Unauthorized modification of posts, users, or options via REST API
Network Indicators:
- REST API requests to ACF endpoints with unexpected user-agent patterns
- Burst of PUT/POST requests to /wp-json/acf/v3/*
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/acf/v3/*" AND (http_method="PUT" OR http_method="POST") AND user_role IN ("contributor", "author"))🔗 References
- https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L108
- https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L120
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab508fa-298c-48c1-8510-f2e0a881675a?source=cve
