The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to th…

Published:

19 januari 2026 om 23:00:00

Alert date:

20 januari 2026 om 11:15:47

Source:

nvd.nist.gov

Web Technologies

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to privilege escalation in versions up to 0.9.2.1. The vulnerability exists in the 'insert_user' function which fails to restrict user registration roles. Unauthenticated attackers can exploit this by supplying the 'administrator' role during registration to gain full administrative access. The vulnerability requires that 'role' be mapped to a custom field to be exploitable. This represents a critical security flaw allowing complete compromise of WordPress sites using the affected plugin.

Technical details

Mitigation steps:

Affected products:

WordPress Advanced Custom Fields: Extended plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-14533
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356
https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve

Related CVE's:

CVE-2025-14533

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.