CVE-2025-13486
published 2025-12-03CVE-2025-13486: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form()…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.56%
99.4th percentile
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hwk-fr | advanced_custom_fields_extended | 0.9.0.5 – 0.9.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=acfe/form/render_form_ajax&nonce={{nonce}}&form[render]=wp_insert_user&form[user_login]={{username}}&form[user_pass]={{password}}&form[user_email]={{email}}&form[role]=administrator↗
- →Monitor POST requests to /wp-admin/admin-ajax.php containing the action parameter 'acfe/form/render_form_ajax' combined with 'form[render]=wp_insert_user' and 'form[role]=administrator' — this is the exact exploit payload for CVE-2025-13486. ↗
- →The exploit requires a WordPress page containing an ACF Extended form widget that exposes a nonce token in the page's JavaScript (regex: 'acf\.data.*?"nonce":"([a-f0-9]+)"'). Detect multi-step attacks: GET to harvest nonce, POST to admin-ajax.php to create admin, POST to wp-login.php to authenticate. ↗
- →The vulnerability is in the prepare_form() function of the acfe_module_form_front_render class — the form[render] parameter is passed directly to call_user_func_array() without sanitization. Any callable PHP function name in form[render] is a red flag. ↗
- →After successful exploitation, look for newly created WordPress administrator accounts and uploaded malicious plugins as post-exploitation indicators. ↗
- →The exploit chain ends with a POST to /wp-login.php; a 302 redirect response containing 'wordpress_logged_in' in the Set-Cookie header confirms successful admin account creation and login. ↗
- ·The exploit only works against plugin versions 0.9.0.5 through 0.9.1.1. Version 0.9.2 patches the vulnerability. Detections should be scoped to sites running the vulnerable version range. ↗
- ·Exploitation requires a WordPress page with an ACF Extended form widget present (to expose the nonce). Sites without any ACF Extended form widget rendered on a public page are not directly exploitable via this unauthenticated path. ↗
- ·The nonce value is dynamic and harvested per-session from the target page's JavaScript. Static nonce-based blocking is not effective; detection must focus on the action and form[render] parameters instead. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8q8p-fv92-864w: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0
ghsa_unreviewed·2025-12-03
CVE-2025-13486 [CRITICAL] CWE-94 GHSA-8q8p-fv92-864w: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
VulnCheck
acfextended advanced_custom_fields_extended Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-13486 [CRITICAL] acfextended advanced_custom_fields_extended Improper Control of Generation of Code ('Code Injection')
acfextended advanced_custom_fields_extended Improper Control of Generation of Code ('Code Injection')
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Affected: acfextended advanced_custom_fields_extended
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://w
No detection rules found.
Nuclei
Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-13486 [CRITICAL] Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution
Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution
Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of call_user_func_array() in prepare_form() function, letting unauthenticated attackers execute arbitrary code remotely.
Template:
id: CVE-2025-13486
info:
name: Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution
author: 0xanis
severity: critical
description: |
Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of call_user_func_array() in prepare_form() function, letting unauthenticated attackers execute arbitrary code remotely.
impact: |
Unauthenticated attackers can execute arbitrary code remotely, potenti
Metasploit
WordPress ACF Extended Unauthenticated RCE via prepare_form()
metasploit
WordPress ACF Extended Unauthenticated RCE via prepare_form()
WordPress ACF Extended Unauthenticated RCE via prepare_form()
This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepare_form() function of the acfe_module_form_front_render class, which accepts user-controlled input via the form[render] parameter and passes it directly to call_user_func_array() without proper sanitization. This exploit requires a WordPress page containing an ACF Extended form widget, which exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option must be set to the path of such a page. Once an administrator account is created via wp_insert_user(), the module uploads and executes a malicio
2025-12-03
Published
Exploited in the wild