vulnerability

WordPress Plugin: acf-to-rest-api: CVE-2020-13700: Authorization Bypass Through User-Controlled Key

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	May 29, 2020	May 15, 2025	Jun 24, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

May 29, 2020

Added

May 15, 2025

Modified

Jun 24, 2025

Description

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values. Issue was finally patched in 3.3.0

Solution

acf-to-rest-api-plugin-cve-2020-13700

References

URL-https://www.cve.org/CVERecord?id=CVE-2020-13700
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/738e5946-65e4-4403-bb23-f84910289a45?source=api-prod
CVE-2020-13700
https://attackerkb.com/topics/CVE-2020-13700
CWE-639

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today