top of page
perceptive_background_267k.jpg

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to th…

Published:

19 January 2026 at 23:00:00

Alert date:

20 January 2026 at 11:15:47

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to privilege escalation in versions up to 0.9.2.1. The vulnerability exists in the 'insert_user' function which fails to restrict user registration roles. Unauthenticated attackers can exploit this by supplying the 'administrator' role during registration to gain full administrative access. The vulnerability requires that 'role' be mapped to a custom field to be exploitable. This represents a critical security flaw allowing complete compromise of WordPress sites using the affected plugin.

Technical details

Mitigation steps:

Affected products:

WordPress Advanced Custom Fields: Extended plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-14533
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356
https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page