The ACF to REST API plugin for WordPress allows sensitive information stored in Advanced Custom Fields to be included and returned in REST API responses, exposing data to unauthorized receivers. This flaw, categorized as CWE‑201 (Sensitive Information Exposure), enables an attacker to retrieve embedded sensitive data from plugin endpoints, potentially exposing confidential configuration values, user data, or other private information. The plugin’s handling of data streams does not sanitize or restrict the content sent to clients, creating a direct leakage path.

WordPress sites running the airesvsg ACF to REST API plugin version 3.3.4 or earlier. The vulnerability affects all releases from the initial deployment of the plugin up to and including 3.3.4.

The CVSS score of 5.3 places the vulnerability in a moderate severity range, yet the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. The attack would likely originate from the REST API endpoint authenticated or unauthenticated, where an adversary could craft requests to trigger the exposure of sensitive data. While the impact is limited to data disclosure rather than code execution, the sensitivity of the leaked information could lead to significant compromise of site integrity or privacy. The overall risk remains moderate due to the nature of the data exposed, with low immediate exploitation likelihood but a persistent threat if the plugin remains unpatched.