Skip to content

Instantly share code, notes, and snippets.

Last active June 29, 2020 11:56
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
[Suggested description]
An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values.
[Additional Information]
During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table.
To reproduce the vulnerability, we have to send a request with usage of wp-json ACF in format "wp-json/acf/v3/options/a", where we defined a value "id" of options as "a". Then, we have to override the parameter by sending $_GET "id" and "field" to compose full meta_key name that is valid in wp_options table. As a result, server will return a meta_value in the response.
Example request to takeover "active_plugins" key and get full list of activated plugins in current installation:
GET /wp-json/acf/v3/options/a?id=active&field=plugins HTTP/1.1
Server response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Example payloads:
[VulnerabilityType Other]
Insecure direct object reference via permalinks manipulation
[Vendor of Product]
[Affected Product Code Base]
wordpress acf-to-rest-api plugin - affected <= 3.1.0
[Affected Component]
options fetching
[Attack Type]
[Impact Information Disclosure]
Mariusz Popławski
FIX at:
Mariusz Popławski / team
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment