A widely-used WordPress plugin has a concerning vulnerability

Last updated on by on Categories
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

Severe Vulnerability Discovered in ACF Plugin: Role Escalation to Administrator

  • Critical vulnerability identified in the Advanced Custom Fields: Extended plugin
  • Approximately 50,000 WordPress sites remain susceptible despite the patch
  • No instances of exploitation reported thus far, but vigilance is necessary

Roughly 50,000 WordPress websites are jeopardized by a critical vulnerability recently unearthed in a widely-used plugin.

In mid-December 2025, the security researcher Andrea Bocchetti alerted Wordfence to a significant flaw in the Advanced Custom Fields: Extended plugin, which augments functionality for the original Advanced Custom Fields (ACF) plugin.

This foundational plugin enables users to enhance posts and pages with custom fields and boasts an active user base of around 100,000 WordPress sites.

Mitigation Strategies

Bocchetti elucidated that the vulnerability originates from ineffective enforcement of role restrictions during form-based user creation or updates.

“In the flawed iteration, form fields lacked proper restrictions, allowing users to assign their roles arbitrarily, including ‘administrator’, irrespective of field settings, if a role field was present in the form,” Wordfence noted in its advisory.

“Such privilege escalation vulnerabilities can lead to complete site compromise.”

In essence, any unauthenticated user can potentially elevate their permissions to admin status, effectively seizing control of a WordPress site.

The flaw is identified in versions 0.9.2.1 and earlier, and is cataloged as CVE-2025-14533, with a severity rating of 9.8/10, categorized as critical.

Conversely, the exploit requires specific conditions: sites must utilize a ‘Create User’ or ‘Update User’ form with a mapped role field.

A fix was implemented in version 0.9.2.2. According to WordPress statistics, around 50,000 sites have updated to the latest version, thereby leaving a similar number still vulnerable.

white and blue printer paper

As of this moment, no confirmed cases of exploitation have surfaced, but the immediate dissemination of this information raises concerns that cybercriminals may soon begin probing for vulnerabilities.

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

RS Web Solutions

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.
Share the Love
Related News Worth Reading
 
Try Our Free Tools!
Master the web with Free Tools that work as hard as you do. From Text Analysis to Website Management, we empower your digital journey with expert guidance and free, powerful tools.
Let's Try Now!

We provide the best tutorials, reviews, and recommendations on all technology and open-source web-related topics. Surf our site to extend your knowledge base on the latest web trends.

Trustpilot
Content Safety

HERO

rswebsols.com
Trustworthy

Approved by Sur.ly

Important Links
Free Tools
Categories
Popular Topics
Our Partners
Copyright © 2026 - RS Web Solutions (RSWEBSOLS) | All Rights Reserved. Image credit: Unsplash | Pixabay | Pexels | Freepik.