ACF to REST API Insecure Direct Object Reference Vulnerability Allowing Unauthorized ACF Field Modification

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the ACF to REST API plugin for WordPress, affecting all versions through 3.3.4. The vulnerability arises from inadequate capability checks in the 'update_item_permissions_check()' method, which only confirms that the user has the 'edit_posts' capability without considering object-specific permissions. This flaw enables authenticated attackers with Contributor-level access or higher to alter ACF fields on posts they do not own, as well as modify any user account, comments, taxonomy terms, and the global options page. The exploitation is possible through the '/wp-json/acf/v3/{type}/{id}' endpoints, provided the attacker can authenticate to the site.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of ACF fields on posts, user accounts, comments, taxonomy terms, and global options.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the '/wp-json/acf/v3/{type}/{id}' endpoint. The request can include ACF field data to be modified. The absence of proper permission checks allows the user to alter ACF fields on posts they do not own or modify other object types such as user accounts, comments, and global options.