CVE-2020-13700 Overview
CVE-2020-13700 is an Insecure Direct Object Reference (IDOR) vulnerability discovered in the ACF to REST API plugin for WordPress through version 3.1.0. The vulnerability allows unauthenticated attackers to manipulate permalinks to access sensitive information stored in the wp_options database table, including login credentials and passwords.
Critical Impact
Unauthenticated attackers can retrieve sensitive WordPress configuration data including admin credentials via REST API endpoint manipulation without any authentication requirements.
Affected Products
- ACF to REST API plugin through version 3.1.0
- WordPress installations using the vulnerable plugin versions
- Sites exposing the wp-json/acf/v3/options/ REST API endpoint
Discovery Timeline
- June 24, 2020 - CVE-2020-13700 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-13700
Vulnerability Analysis
This vulnerability stems from improper authorization controls in the ACF to REST API plugin's REST endpoint handling. The plugin extends Advanced Custom Fields (ACF) functionality by exposing custom field data through the WordPress REST API. However, the implementation fails to properly validate user permissions before returning sensitive option values.
When a request is made to the wp-json/acf/v3/options/ endpoint, the plugin does not verify whether the requesting user has appropriate privileges to access the requested data. This allows any unauthenticated user to read arbitrary values from the wp_options table by manipulating the request path.
The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that user-supplied input directly controls which database records are accessed without proper authorization checks.
Root Cause
The root cause is a missing authorization check in the REST API endpoint handler. The plugin exposes WordPress options through the REST API without implementing proper capability checks or access controls. When processing requests to the options endpoint, the plugin directly queries the database based on user-supplied parameters without validating that the user has permission to view the requested data.
This is a classic example of an Insecure Direct Object Reference vulnerability where the application exposes internal implementation objects (database records) to users without verifying authorization.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the WordPress REST API endpoint.
The attack follows this pattern:
- Attacker identifies a WordPress site running the vulnerable ACF to REST API plugin
- Attacker sends a GET request to wp-json/acf/v3/options/ with manipulated parameters
- The plugin retrieves and returns sensitive data from the wp_options table without authorization checks
- Attacker receives sensitive configuration data including potential login credentials
The vulnerability is particularly dangerous because WordPress stores various sensitive configuration values in the wp_options table, including database credentials, authentication keys, and potentially user passwords depending on the site's configuration and installed plugins.
Detection Methods for CVE-2020-13700
Indicators of Compromise
- Unusual GET requests to wp-json/acf/v3/options/ endpoints from external IP addresses
- Access log entries showing enumeration attempts against REST API option endpoints
- Multiple failed login attempts following REST API option queries from the same source
- Unexpected access to WordPress administrative functions after REST API reconnaissance
Detection Strategies
- Monitor web server access logs for requests containing wp-json/acf/v3/options/ patterns
- Implement Web Application Firewall (WAF) rules to detect and block unauthorized REST API option queries
- Configure intrusion detection systems to alert on multiple REST API enumeration attempts
- Review WordPress audit logs for signs of credential harvesting or unauthorized access
Monitoring Recommendations
- Enable detailed logging for WordPress REST API endpoints
- Configure real-time alerting for access attempts to sensitive API paths
- Implement rate limiting on REST API endpoints to slow enumeration attacks
- Monitor for unusual patterns in WordPress configuration access
How to Mitigate CVE-2020-13700
Immediate Actions Required
- Update ACF to REST API plugin to a patched version immediately
- Disable the vulnerable plugin if updates are not available
- Implement WAF rules to block unauthorized access to wp-json/acf/v3/options/ endpoints
- Review access logs for evidence of prior exploitation
- Rotate any potentially exposed credentials stored in wp_options
Patch Information
Organizations should update the ACF to REST API plugin to the latest available version. The vulnerability affects versions through 3.1.0. Administrators can find update information on the WordPress ACF to REST API Plugin page and the GitHub ACF to REST API repository. A technical analysis is available in this GitHub Gist Code Snippet.
Workarounds
- Disable the ACF to REST API plugin entirely if not required
- Implement server-side access controls to block requests to the vulnerable endpoint
- Use a Web Application Firewall to filter malicious requests
- Restrict REST API access to authenticated users only via WordPress configuration
# Apache .htaccess configuration to block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/acf/v3/options/ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
