CVE-2025-14533
published 2026-01-20CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.9th percentile
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hwk-fr | advanced_custom_fields_extended | <= 0.9.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is only exploitable when a 'Create User' or 'Update User' form with a role field mapped is present on the site. Detection should focus on unauthenticated POST requests to ACF Extended form submission endpoints that include a 'role' parameter set to 'administrator'. ↗
- →The vulnerable function is 'insert_user' in the ACF Extended plugin. Monitor for unauthenticated requests invoking this function with elevated role values (e.g., 'administrator'). ↗
- →Privilege escalation to administrator via this flaw enables complete site compromise. Monitor for newly created WordPress administrator accounts originating from unauthenticated sessions, especially on sites running ACF Extended. ↗
- ·The vulnerability affects all ACF Extended plugin versions up to and including 0.9.2.1. Version 0.9.2.2 contains the fix. Prioritize detection/patching on sites still running 0.9.2.1 or earlier. ↗
- ·The vulnerability can be exploited even when role limitations are appropriately configured in the ACF Extended field settings — field-level restrictions are not enforced in the vulnerable versions. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
ACF plugin bug gives hackers admin on 50,000 WordPress sites
blogs_bleepingcomputer·2026-01-20·CVSS 9.8
[CRITICAL] ACF plugin bug gives hackers admin on 50,000 WordPress sites
## ACF plugin bug gives hackers admin on 50,000 WordPress sites
## Bill Toulas
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions.
ACF Extended, currently active on 100,000 websites, is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders.
The vulnerability, tracked as CVE-2025-14533, can be leveraged for admin privileges by abusing the plugin’s ‘Insert User / Update User’ form action, in versions of ACF Extended 0.9.2.1 and earlier.
The flaw arises from the lack of enforcement of role restrictions during form-based user creation or updates,
Wiz
CVE-2025-14533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14533 [CRITICAL] CVE-2025-14533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14533 :
WordPress vulnerability analysis and mitigation
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
Source : NVD
## 9.8
Score
Published January 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve
2026-01-20
Published