Critical Flaw in “Advanced Custom Fields: Extended” Exposes 100K WordPress Sites to Takeover

A critical security vulnerability has been discovered in Advanced Custom Fields: Extended, a popular WordPress plugin with over 100,000 active installations. The flaw, tracked as CVE-2025-14533, carries a near-maximum CVSS score of 9.8, allowing unauthenticated attackers to grant themselves administrative privileges and seize full control of affected websites.

The vulnerability, discovered by security researcher Andrea Bocchetti via the Wordfence Bug Bounty Program, lies in how the plugin handles user forms. Specifically, the issue is found within the insert_user() function of the acfe_module_form_action_user class.

In affected versions, the plugin fails to properly validate permissions when a form includes a user role field. Even if a site administrator sets restrictions—such as “Allow User Role”—the code does not enforce them.

“Unfortunately, in the vulnerable version, there are no restrictions for form fields, so the user’s role can be set arbitrarily, even to ‘administrator’, regardless of the field settings, if there is a role field added to the form,” the report explains.

This oversight essentially hands the keys to the kingdom to anyone who can access a form configured with a user role field.

The stakes for site owners are incredibly high. Once an attacker elevates their privileges to administrator, they have virtually unlimited power over the WordPress environment.

“As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” the report warns.

The report details that attackers could use this access to “upload plugin and theme files, which can be malicious zip files containing backdoors,” or modify content to redirect users to spam or malware sites.

While the vulnerability is critical, it does require a specific configuration to be exploitable. The report notes that the flaw is triggered only when site owners have added specific types of forms.

“This vulnerability only critically affects site owners who have added a ‘Create user’ or ‘Update user’ action form with a role field to their website, which is likely rare.”

Wordfence has urged users to update their sites immediately. The patch addressing this flaw was released in version 0.9.2.2.

Researcher Andrea Bocchetti was awarded a bounty of $975.00 for the responsible disclosure of this high-severity bug.

Related Posts:

• Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites
• WordPress custom field plugin bug (CVE-2023-40068) exposes 1M sites to XSS attacks
• Critical VSCode Supply Chain Flaw: 550+ Secrets Leaked Via Extensions, Exposing 100K+ Users to Malware
• Unpatched & Critical (CVSS 10): TI WooCommerce Wishlist Vulnerability Affects 100K+ Sites
• CVE-2024-8353 (CVSS 10): Critical GiveWP Flaw, 100k WordPress Sites at Risk