CVE-2025-12030 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the ACF to REST API plugin for WordPress, specifically all versions up to and including 3.3.4. The vulnerability stems from the update_item_permissions_check() method, which performs insufficient capability checks by only verifying if the current user has the generic edit_posts capability. It fails to enforce object-specific permission checks such as edit_post($id), edit_user($id), or manage_options. Consequently, authenticated users with Contributor-level access or higher can exploit this flaw to modify Advanced Custom Fields (ACF) data on posts they do not own, user accounts, comments, taxonomy terms, and even the global options page through the REST API endpoints structured as /wp-json/acf/v3/{type}/{id}. The attack requires authentication but no additional user interaction. The vulnerability impacts the integrity of site data by allowing unauthorized modifications but does not affect confidentiality or availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low complexity of exploitation (low attack complexity), network attack vector, and limited privileges required (low privileges). No known public exploits or patches have been reported as of the publication date. The flaw is significant because it expands the attack surface for authenticated users with limited privileges, potentially enabling privilege escalation or unauthorized data manipulation within WordPress sites using this plugin.

The primary impact of CVE-2025-12030 is the unauthorized modification of site content and configuration data, which can undermine the integrity of WordPress sites using the ACF to REST API plugin. Attackers with Contributor-level access or higher can alter posts they do not own, user account data, comments, taxonomy terms, and global options, potentially leading to defacement, misinformation, or configuration changes that could facilitate further attacks. Although confidentiality and availability are not directly affected, the integrity compromise can erode trust in the affected websites and disrupt normal operations. For organizations relying on WordPress for content management, especially those with multiple contributors or less restrictive user role assignments, this vulnerability could enable insider threats or external attackers who have compromised low-privilege accounts to escalate their influence. The lack of object-specific permission checks increases the risk of privilege escalation and unauthorized data manipulation, which could be leveraged for social engineering, phishing, or further exploitation. The vulnerability's network accessibility via REST API endpoints increases the attack surface, making it easier to exploit remotely once authentication is obtained.

To mitigate CVE-2025-12030, organizations should immediately audit and restrict user roles and capabilities within WordPress, ensuring that only trusted users have Contributor-level or higher access. Implement the principle of least privilege by limiting the number of users who can authenticate with elevated permissions. Monitor and log REST API usage, particularly calls to /wp-json/acf/v3/{type}/{id} endpoints, to detect suspicious modification attempts. Disable or restrict the ACF to REST API plugin if it is not essential for site functionality. Until an official patch is released, consider implementing custom capability checks or filters in WordPress to enforce object-specific permissions on REST API requests related to ACF fields. Employ Web Application Firewalls (WAFs) with rules targeting anomalous REST API activity. Regularly update all WordPress plugins and core software to incorporate security fixes promptly. Finally, educate site administrators and developers about the risks of insufficient authorization checks in plugins and the importance of secure coding practices.