cbcvebase.
CVE-2025-13486
published 2025-12-03

CVE-2025-13486: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form()…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.56%
99.4th percentile
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

Affected

1 ranges
VendorProductVersion rangeFixed in
hwk-fradvanced_custom_fields_extended0.9.0.5 – 0.9.1.1

Detection & IOCsextracted from sources · hover to see the quote

commandaction=acfe/form/render_form_ajax&nonce={{nonce}}&form[render]=wp_insert_user&form[user_login]={{username}}&form[user_pass]={{password}}&form[user_email]={{email}}&form[role]=administrator
path/wp-admin/admin-ajax.php
otheracfe/form/render_form_ajax
otherform[render]=wp_insert_user
otherfofa-query: body="wp-content/plugins/acf-extended"
  • Monitor POST requests to /wp-admin/admin-ajax.php containing the action parameter 'acfe/form/render_form_ajax' combined with 'form[render]=wp_insert_user' and 'form[role]=administrator' — this is the exact exploit payload for CVE-2025-13486.
  • The exploit requires a WordPress page containing an ACF Extended form widget that exposes a nonce token in the page's JavaScript (regex: 'acf\.data.*?"nonce":"([a-f0-9]+)"'). Detect multi-step attacks: GET to harvest nonce, POST to admin-ajax.php to create admin, POST to wp-login.php to authenticate.
  • The vulnerability is in the prepare_form() function of the acfe_module_form_front_render class — the form[render] parameter is passed directly to call_user_func_array() without sanitization. Any callable PHP function name in form[render] is a red flag.
  • After successful exploitation, look for newly created WordPress administrator accounts and uploaded malicious plugins as post-exploitation indicators.
  • The exploit chain ends with a POST to /wp-login.php; a 302 redirect response containing 'wordpress_logged_in' in the Set-Cookie header confirms successful admin account creation and login.
  • ·The exploit only works against plugin versions 0.9.0.5 through 0.9.1.1. Version 0.9.2 patches the vulnerability. Detections should be scoped to sites running the vulnerable version range.
  • ·Exploitation requires a WordPress page with an ACF Extended form widget present (to expose the nonce). Sites without any ACF Extended form widget rendered on a public page are not directly exploitable via this unauthenticated path.
  • ·The nonce value is dynamic and harvested per-session from the target page's JavaScript. Static nonce-based blocking is not effective; detection must focus on the action and form[render] parameters instead.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.