CVE-2020-13700 — acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink man

Description

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a `wp-json/acf/v3/options/` request that reads sensitive information in the `wp_options` table, such as the login and pass values.

How to fix CVE-2020-13700

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-13700 being exploited?

Likely — EPSS is 90.2%, placing CVE-2020-13700 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, <= 3.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13700
PATCHgithub.com/airesvsg/acf-to-rest-api
WEBgist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
WEBwordpress.org/plugins/acf-to-rest-api/#developers