CVE-2025-62979 is a vulnerability identified in the ACF to REST API plugin developed by airesvsg, specifically affecting all versions up to and including 3.3.4. The vulnerability allows an attacker to retrieve sensitive information embedded within data sent through the REST API endpoints. This occurs because the plugin fails to properly sanitize or restrict sensitive fields when constructing API responses, leading to unintended disclosure of confidential data. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is limited to confidentiality loss, with no direct effect on data integrity or system availability. Although no exploits are currently known in the wild, the exposure of sensitive data can facilitate further attacks or data breaches. The plugin is widely used in WordPress environments to expose Advanced Custom Fields (ACF) data via REST API, making it a critical component in many web applications. The vulnerability was published on October 27, 2025, and no official patches or mitigations have been linked yet. Organizations relying on this plugin should be aware of the risk of sensitive data leakage through their public or internal APIs and take immediate steps to mitigate exposure.

For European organizations, the primary impact of CVE-2025-62979 is the unauthorized disclosure of sensitive information via the REST API, which can lead to data breaches and compliance violations under regulations such as GDPR. Confidentiality loss could expose personal data, intellectual property, or internal configuration details, increasing the risk of targeted attacks or reputational damage. Since the vulnerability does not require authentication, any attacker with network access to the API endpoints can exploit it, potentially including external threat actors or insider threats. Organizations with public-facing WordPress sites using the ACF to REST API plugin are particularly vulnerable. The lack of impact on integrity and availability reduces the risk of service disruption but does not diminish the seriousness of data exposure. The medium CVSS score reflects moderate severity but should not lead to complacency given the sensitivity of exposed data and regulatory implications in Europe.

1. Monitor for updates from the airesvsg project and apply patches promptly once available. 2. Until an official patch is released, implement custom filters or hooks in WordPress to sanitize or exclude sensitive fields from REST API responses generated by the ACF to REST API plugin. 3. Restrict access to REST API endpoints by IP whitelisting or authentication mechanisms to limit exposure to trusted users only. 4. Conduct an audit of all ACF fields exposed via the REST API and remove or mask any sensitive data that should not be publicly accessible. 5. Use Web Application Firewalls (WAFs) to detect and block suspicious API requests that attempt to retrieve sensitive information. 6. Educate development and security teams about the risks of exposing sensitive data through APIs and enforce secure coding practices for API development. 7. Regularly review and update API permissions and access controls to minimize unnecessary data exposure.