cbcvebase.
CVE-2025-14533
published 2026-01-20

CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.9th percentile
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

Affected

1 ranges
VendorProductVersion rangeFixed in
hwk-fradvanced_custom_fields_extended<= 0.9.2.1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is only exploitable when a 'Create User' or 'Update User' form with a role field mapped is present on the site. Detection should focus on unauthenticated POST requests to ACF Extended form submission endpoints that include a 'role' parameter set to 'administrator'.
  • The vulnerable function is 'insert_user' in the ACF Extended plugin. Monitor for unauthenticated requests invoking this function with elevated role values (e.g., 'administrator').
  • Privilege escalation to administrator via this flaw enables complete site compromise. Monitor for newly created WordPress administrator accounts originating from unauthenticated sessions, especially on sites running ACF Extended.
  • ·The vulnerability affects all ACF Extended plugin versions up to and including 0.9.2.1. Version 0.9.2.2 contains the fix. Prioritize detection/patching on sites still running 0.9.2.1 or earlier.
  • ·The vulnerability can be exploited even when role limitations are appropriately configured in the ACF Extended field settings — field-level restrictions are not enforced in the vulnerable versions.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.