CVE-2025-12030 MEDIUM

CVE-2025-12030: ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification

Vendor Airesvsg
Product ACF to REST API
Weakness CWE-639 · IDOR
Published January 7, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site.

Explanation of Vulnerability in Simple Terms

02Summary

ACF to REST API versions 3.3.4 and earlier contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with low-level site credentials can alter content or settings through the REST API without proper permission checks. This affects sites using the plugin with multiple user roles or restricted editing permissions.

What an attacker can do

03Attacker Capabilities

Modify site data or settings via REST API without proper authorization checks.

Potential impact on your site

04Site Impact

Users with limited editing permissions may be able to alter content or settings beyond their intended scope.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

January 7, 2026 CVE published
April 8, 2026 Record updated