The ACF to REST API plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability (CWE-639) due to inadequate capability checks in the update_item_permissions_check() method. Specifically, the method only verifies that the user has the edit_posts capability without confirming permissions on the specific object being modified (e.g., edit_post($id), edit_user($id), manage_options). This flaw allows authenticated users with Contributor-level privileges or higher to modify ACF fields on posts they do not own, user accounts, comments, taxonomy terms, and global options via the /wp-json/acf/v3/{type}/{id} REST API endpoints. The vulnerability affects all versions up to and including 3.3.4. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. There is no patch or vendor advisory currently available, and no known exploitation in the wild has been reported.

An authenticated attacker with Contributor-level access or higher can modify Advanced Custom Fields on posts they do not own, as well as other sensitive objects such as user accounts, comments, taxonomy terms, and global options. This could lead to unauthorized data modification within the WordPress site, potentially affecting site content and configuration. The vulnerability does not impact confidentiality or availability but does impact data integrity to a limited extent.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level and higher access to trusted users only. Monitor for updates from the plugin vendor or WordPress security channels regarding patches or temporary mitigations.