CVE-2025-12030

Name of the Vulnerable Software and Affected Versions ACF to REST API plugin for WordPress versions through 3.3.4

Description The ACF to REST API plugin for WordPress is affected by an Insecure Direct Object Reference issue. Insufficient capability checks in the update item permissions check() method allow authenticated attackers with Contributor-level access or higher to modify ACF fields. Attackers can modify posts they do not own, user accounts, comments, taxonomy terms, and global options. This is possible through the /wp-json/acf/v3/{type}/{id} API endpoints, where {type} and {id} represent the object type and identifier, respectively. The issue stems from a lack of object-specific permission checks, only verifying the edit posts capability.

Recommendations Update the ACF to REST API plugin to a version later than 3.3.4.