Miggo Logo

CVE-2020-13700: acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.99637%
Published
5/24/2022
Updated
11/15/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
airesvsg/acf-to-rest-apicomposer<= 3.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) The options controller directly uses user-supplied 'id' parameter to access wp_options entries without authorization checks (CWE-639). 2) The field processing function allows combining URL parameters to construct arbitrary option names (like 'mailserver_pass') through $_GET['id'] and $_GET['field'] manipulation (CWE-200). The plugin's REST endpoints expose raw option access without implementing WordPress capability checks or proper object reference validation, enabling direct database table enumeration through parameter manipulation as demonstrated in the exploit examples.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** ***-to-r*st-*pi plu*in t*rou** *.*.* *or Wor*Pr*ss. It *llows *n ins**ur* *ir**t o*j**t r***r*n** vi* p*rm*links m*nipul*tion, *s **monstr*t** *y * `wp-json/***/v*/options/` r*qu*st t**t r***s s*nsitiv* in*orm*tion in t

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** options *ontroll*r *ir**tly us*s us*r-suppli** 'i*' p*r*m*t*r to ****ss wp_options *ntri*s wit*out *ut*oriz*tion ****ks (*W*-***). *) T** *i*l* pro**ssin* *un*tion *llows *om*inin* URL p*r*m*t*rs to