Critical Vulnerability Reported in Advanced Custom Fields: Extended Plugin
Take action: If you are using the Advanced Custom Fields: Extended plugin for Wordpress, update to version 0.9.2.2 immediately. By the very nature of WordPress, the plugin is exposed to the internet, so patching or disabling the plugin are your only options. Or just wait to get hacked.
Learn More
Advanced Custom Fields: Extended, a WordPress plugin with over 100,000 active installations, is reported to have a critical security flaw that allows unauthenticated users to gain full administrative control.
The vulnerability is tracked as CVE-2025-14533 (CVSS score 9.8) and is caused by a failure to validate user roles during form submissions, enabling anyone to register an account with the highest level of permissions. The insert_user() function of the acfe_module_form_action_user class fails to enforce role restrictions defined in the field group settings ehen processing form data. Instead, it iterates through submitted data and passes values directly to the core WordPress wp_insert_user() function without verifying if the requested role is permitted for that specific form. This allows an attacker to inject an "administrator" parameter into the web request.
Once an attacker gains administrative access, they can perform any action on the website, including:
- Install malicious plugins or backdoors for persistent access.
- Modify site content to inject spam or phishing links.
- Redirect legitimate traffic to external malicious domains.
- Access and steal sensitive user data and site configurations.
The vendor released a patch in version 0.9.2.2 on December 14, 2025. Administrators should verify their plugin version and update via the WordPress dashboard and update to the latest available version.
