CVE-2025-12030 Overview
The ACF to REST API plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 3.3.4. This security flaw stems from insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without validating object-specific permissions such as edit_post($id), edit_user($id), or manage_options.
This vulnerability enables authenticated attackers with Contributor-level access or higher to modify Advanced Custom Fields (ACF) data on resources they do not own, including posts, user accounts, comments, taxonomy terms, and even the global options page through the /wp-json/acf/v3/{type}/{id} REST API endpoints.
Critical Impact
Authenticated attackers with minimal privileges can modify ACF fields across the entire WordPress installation, potentially leading to unauthorized data manipulation, privilege escalation, and site defacement.
Affected Products
- ACF to REST API plugin for WordPress versions up to and including 3.3.4
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-12030 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-12030
Vulnerability Analysis
This Insecure Direct Object Reference vulnerability (CWE-639) exists due to a fundamental authorization logic flaw in the ACF to REST API plugin. The plugin exposes REST API endpoints that allow modification of ACF field data across various WordPress object types, but fails to implement proper object-level authorization checks.
When a user attempts to update ACF fields via the REST API, the update_item_permissions_check() method only confirms that the requesting user possesses the generic edit_posts capability. This is a coarse-grained permission check that does not account for object ownership or specific resource-level permissions. As a result, any authenticated user with the Contributor role or higher can modify ACF data on any object accessible through the API, regardless of whether they have legitimate access to that specific resource.
The impact of this vulnerability is significant because ACF fields are often used to store critical site configuration data, user metadata, and content-related information. An attacker exploiting this vulnerability could modify site-wide settings stored in the options page, alter other users' profile information, or manipulate post content across the entire site.
Root Cause
The root cause is the absence of object-specific permission validation in the update_item_permissions_check() method within the class-acf-to-rest-api-controller.php file. The method relies solely on current_user_can('edit_posts') without subsequently calling object-specific capability checks like current_user_can('edit_post', $post_id) or current_user_can('edit_user', $user_id).
WordPress's capability system is designed to support both role-based and object-based permission checks. By omitting the object-specific checks, the plugin bypasses WordPress's built-in authorization model and creates a horizontal privilege escalation vulnerability.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user with at least Contributor-level access. The attack flow involves:
- An attacker authenticates to the WordPress site with a low-privilege account (Contributor or higher)
- The attacker identifies target resources (posts, users, options) and their corresponding IDs
- The attacker crafts malicious PUT/PATCH requests to the /wp-json/acf/v3/{type}/{id} endpoints
- The plugin validates only the edit_posts capability, which Contributors possess
- The ACF field data is modified on the target resource regardless of ownership
For example, an attacker could target the global options endpoint to modify site-wide ACF configurations, or target other user accounts to modify their ACF-stored metadata.
The vulnerability is documented in the plugin source code. For technical details, see the WordPress Plugin Code Reference showing the affected permission check implementation.
Detection Methods for CVE-2025-12030
Indicators of Compromise
- Unexpected modifications to ACF field values on posts, users, comments, or taxonomy terms
- Unusual REST API activity targeting /wp-json/acf/v3/ endpoints from low-privilege accounts
- Modifications to the WordPress options table via ACF REST API calls
- Audit log entries showing ACF field updates by users who do not own the target resources
Detection Strategies
- Monitor WordPress REST API access logs for PUT/PATCH requests to /wp-json/acf/v3/{type}/{id} endpoints
- Implement alerting for ACF field modifications made by users without ownership of the target resource
- Deploy web application firewall (WAF) rules to detect suspicious patterns in ACF REST API requests
- Review authentication logs for Contributor-level accounts making bulk API modifications
Monitoring Recommendations
- Enable detailed logging for all WordPress REST API requests, particularly those targeting ACF endpoints
- Configure SIEM alerts for anomalous ACF field modification patterns across multiple objects
- Implement file integrity monitoring for critical ACF-stored configuration values
- Regularly audit ACF field values on sensitive objects such as user profiles and global options
How to Mitigate CVE-2025-12030
Immediate Actions Required
- Update the ACF to REST API plugin to the latest patched version immediately
- Temporarily disable the ACF to REST API plugin if an update is not yet available
- Review recent ACF field modifications for unauthorized changes, particularly on user accounts and options
- Restrict REST API access to trusted users while awaiting a patch
- Consider implementing additional authentication requirements for ACF REST API endpoints
Patch Information
Organizations should monitor the WordPress plugin repository for an updated version of the ACF to REST API plugin that addresses this vulnerability. The fix should implement proper object-specific capability checks in the update_item_permissions_check() method, ensuring that requests include validation of edit_post($id), edit_user($id), or manage_options as appropriate for the target resource type.
For additional details, refer to the Wordfence Vulnerability Report.
Workarounds
- Disable the ACF to REST API plugin entirely until a patched version is available
- Implement a custom WordPress filter or plugin to add object-specific permission checks to ACF REST API endpoints
- Use a web application firewall (WAF) to block or restrict access to /wp-json/acf/v3/ endpoints
- Revoke REST API authentication from low-privilege users who do not require ACF API access
- Audit and remove unnecessary Contributor or Author accounts that could be exploited
# Disable ACF to REST API plugin via WP-CLI
wp plugin deactivate acf-to-rest-api
# Check for unauthorized ACF field modifications in database
wp db query "SELECT * FROM wp_postmeta WHERE meta_key LIKE '_acf%' ORDER BY meta_id DESC LIMIT 100"
# List all users with Contributor role or higher
wp user list --role=contributor --field=user_login
wp user list --role=author --field=user_login
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
