Severe Vulnerability Discovered in ACF Extended Plugin for WordPress
A critical vulnerability has been identified within the Advanced Custom Fields: Extended (ACF Extended) plugin, enabling unauthenticated attackers to remotely gain administrative permissions on WordPress sites.
This plugin, which currently operates on approximately 100,000 websites, is designed to enhance the functionalities of the standard Advanced Custom Fields (ACF) plugin, providing additional tools for developers and sophisticated site builders.
Designated as CVE-2025-14533, this security flaw can be exploited through the ‘Insert User / Update User’ form action in versions 0.9.2.1 and earlier of ACF Extended. Attackers exploiting this vulnerability can attain admin privileges without proper authorization.
The issue stems from a failure to enforce role restrictions during the user creation or update processes. Notably, exploitation remains feasible even when role limitations are precisely configured in the field settings.
“In the vulnerable version [of the plugin], there are no restrictions for form fields, allowing the user’s role to be set arbitrarily, including ‘administrator,’ independent of field settings, provided a role field is included in the form,” explains Wordfence.
Research indicates that this privilege escalation vulnerability could lead to total site compromise. However, it should be noted that the vulnerability is exploitable solely on sites utilizing a ‘Create User’ or ‘Update User’ form with a mapped role field.
Security researcher Andrea Bocchetti uncovered CVE-2025-14533 and reported the issue to Wordfence on December 10, 2025, prompting an elevation of the report to the vendor.
The vendor promptly remedied the shortcoming, issuing ACF Extended version 0.9.2.2 just four days later.
According to data from wordpress.org, approximately 50,000 users have downloaded the updated plugin since its release. If all downloads corresponded to the latest version, around another 50,000 sites would remain vulnerable to potential attacks.
Monitoring Activity Surrounding WordPress Plugins
While no direct attacks exploiting CVE-2025-14533 have been documented thus far, a report by the threat intelligence firm GreyNoise reveals extensive reconnaissance activities targeting susceptible WordPress plugins.
From late October 2025 through mid-January 2026, nearly 1,000 IP addresses spanning 145 Autonomous System Numbers (ASNs) engaged in approximately 40,000 unique enumeration events, documenting attempts to identify vulnerable installations of 706 different WordPress plugins.
The most scrutinized plugins during this period include Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator.
Additionally, in early November 2025, Wordfence noted active exploitation of the Post SMTP vulnerability, CVE-2025-11833, which was targeted by 91 distinct IP addresses.
GreyNoise also advised administrators to address CVE-2024-28000, affecting LiteSpeed Cache, which was flagged as actively exploited by Wordfence in August 2024.
Source link: Bleepingcomputer.com.
