CVE-2025-62979
📋 TL;DR
This vulnerability in the ACF to REST API WordPress plugin exposes sensitive data embedded in Advanced Custom Fields through the REST API. Attackers can retrieve information that should remain private by making unauthenticated requests to affected endpoints. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- ACF to REST API WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers retrieve sensitive user data, API keys, credentials, or other confidential information stored in custom fields, leading to data breaches and potential account compromise.
Likely Case
Unauthenticated users access private field data like internal notes, configuration details, or user metadata that should not be publicly exposed.
If Mitigated
With proper access controls and field filtering, only authorized users can access sensitive data, limiting exposure to authenticated administrators.
🎯 Exploit Status
Exploitation requires understanding of WordPress REST API endpoints and ACF field structure. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ACF to REST API' and check if update is available. 4. Click 'Update Now' to install version 3.3.5 or later. 5. Verify the plugin is active and functioning correctly.
🔧 Temporary Workarounds
Disable REST API endpoints for sensitive fields
allModify ACF field settings to exclude sensitive fields from REST API exposure
Edit ACF field groups and set 'Show in REST API' to false for sensitive fields
Implement custom REST API authentication
allAdd authentication requirements to REST API endpoints containing sensitive data
Add WordPress authentication checks to REST API callback functions
🧯 If You Can't Patch
- Disable the ACF to REST API plugin entirely if not critically needed
- Implement web application firewall rules to block unauthorized REST API requests to sensitive endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for ACF to REST API version. If version is 3.3.4 or earlier, the site is vulnerable.Check Version:
wp plugin list --name='ACF to REST API' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 3.3.5 or later in WordPress admin. Test REST API endpoints that previously exposed sensitive data to confirm they now return appropriate access controls.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of GET requests to /wp-json/acf/ endpoints
- Requests to REST API endpoints from unauthorized IP addresses
- Access attempts to sensitive field names in URL parameters
Network Indicators:
- HTTP 200 responses containing sensitive field data in REST API responses
- Pattern of requests probing for ACF field endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/acf/*" OR user_agent="*rest*api*") AND response_code=200