Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites

A critical security vulnerability carrying a near-maximum severity score has been discovered in “Advanced Custom Fields: Extended,” a popular WordPress utility plugin installed on over 100,000 websites. The flaw, if exploited, allows unauthenticated attackers to execute arbitrary code remotely, potentially granting them full control over affected websites.

The vulnerability, tracked as CVE-2025-13486, carries a critical CVSS score of 9.8. It was discovered by security researcher dudekmar and reported via the Wordfence Bug Bounty Program. Due to the severity and quality of the report, this researcher earned a bounty of $4,290.00 for this discovery.

The vulnerability resides within the prepare_form() function of the plugin’s acfe_module_form_front_render class. This class is responsible for rendering forms on the frontend.

The issue stems from how the plugin handles user input during the rendering process. Specifically, the code utilizes call_user_func_array—a PHP function that calls a callback with an array of parameters—using data supplied directly by the user.

According to the technical analysis, “the function used to render the form is defined using the ‘form[render]’ parameter retrieved from user input, and the data passed to the function is retrieved from the ‘form’ parameter, which is also supplied via user input.”

Because the plugin failed to validate this input, it created a direct pathway for attackers. “Unfortunately, there is no restriction on the function call, which means that the attacker can call an arbitrary PHP function through the ‘form[render]’ parameter… making arbitrary code injection possible.”

The implications of this vulnerability are severe. Because it is an unauthenticated Remote Code Execution (RCE) flaw, an attacker does not need to be logged in to exploit it.

Researchers highlighted that “one example of leveraging this vulnerable function call is to achieve privilege escalation: an attacker can use the wp_insert_user() function to create a new administrator user”. Once administrative access is established, the attacker effectively owns the site. “As with all remote code execution vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.”

To fix the flaw, the development team took decisive action. “The vendor patched this issue by completely removing this user input and call_user_func_array() function-based render part from the prepare_form() function.”

Administrators utilizing the Advanced Custom Fields: Extended addon are urged to verify their installation version immediately. We urge users to update their sites with the latest patched version of Advanced Custom Fields: Extended, version 0.9.2 as soon as possible.

Related Posts:

• WordPress custom field plugin bug (CVE-2023-40068) exposes 1M sites to XSS attacks
• Critical VSCode Supply Chain Flaw: 550+ Secrets Leaked Via Extensions, Exposing 100K+ Users to Malware
• Unpatched & Critical (CVSS 10): TI WooCommerce Wishlist Vulnerability Affects 100K+ Sites
• CVE-2024-8353 (CVSS 10): Critical GiveWP Flaw, 100k WordPress Sites at Risk