CVE-2020-13700

HIGH7.5EPSS 90.2%

acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

發布日:2022/5/24修改日:2024/2/16

描述

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a `wp-json/acf/v3/options/` request that reads sensitive information in the `wp_options` table, such as the login and pass values.

受影響套件(1)

Packagist/airesvsg/acf-to-rest-apifrom 0, <= 3.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13700
PATCHhttps://github.com/airesvsg/acf-to-rest-api
WEBhttps://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
WEBhttps://wordpress.org/plugins/acf-to-rest-api/#developers