Unauthenticated Remote Code Execution in Advanced Custom Fields: Extended WordPress Plugin
A critical unauthenticated remote code execution vulnerability has been identified in the Advanced Custom Fields: Extended plugin for WordPress, affecting versions 0.9.0.5 through 0.9.1.1. The flaw resides in the prepare_form() function, which improperly handles user input by passing it directly to call_user_func_array(), enabling attackers to execute arbitrary code on the server without authentication. This vulnerability allows threat actors to inject backdoors, create new administrative accounts, and potentially take full control of affected WordPress sites.
Security researchers warn that exploitation of this vulnerability could lead to complete compromise of website integrity and confidentiality, including data theft and malware installation. Administrators are strongly advised to update the plugin to a secure version, implement Zero Trust security models, enable multi-factor authentication for admin accounts, and harden PHP configurations. The vulnerability is mapped to MITRE ATT&CK techniques T1059 (Command and Scripting Interpreter) and T1190 (Exploit Public-Facing Application).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Users are advised to update ACF Extended to version 0.9.1.2 or later
Remediation guidance was published recommending that affected WordPress sites upgrade Advanced Custom Fields: Extended to version 0.9.1.2 or newer. The guidance also advised reviewing systems for signs of compromise such as backdoors or unauthorized administrator accounts.
Critical RCE in ACF Extended is publicly disclosed as CVE-2025-13486
A critical unauthenticated remote code execution vulnerability affecting Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1 was publicly disclosed. The flaw was tied to the plugin's prepare_form() function, which can pass user-controlled input to call_user_func_array().
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2025-13486 - Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form
cvefeed.io
Open sourceVulnerabilità Critica in Advanced Custom Fields: Extended per WordPress - Esecuzione di Codice da Remoto
gist.github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, **CVE-2025-14533**, was disclosed in the WordPress plugin *Advanced Custom Fields: Extended* affecting versions **<= 0.9.2.1**. The issue is an **unauthenticated privilege escalation** in the plugin’s user-form handling, where the `insert_user` logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the **`administrator`** role and obtain full administrative access under certain configurations. Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the **`role`** value is mapped to a custom field / user role field is present in the form. The weakness was identified by **Andrea Bocchetti** via the **Wordfence Bug Bounty Program**, and is associated with **CWE-269 (Improper Privilege Management)**; once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026
Active Exploitation of UpdraftPlus Auth Bypass Enables WordPress Site Takeover
A critical authentication bypass in the **UpdraftPlus: WP Backup & Migration** WordPress plugin, tracked as `CVE-2026-10795`, is being actively exploited against sites running versions up to and including `1.26.4`. The flaw affects a plugin installed on more than three million WordPress sites and stems from insufficient validation in UpdraftCentral remote procedure call handling, including signature-verification weaknesses and unchecked decryption return values that can collapse to a predictable all-zero key. Wordfence reported blocking **4,987** exploitation attempts in a 24-hour period. Successful exploitation lets unauthenticated attackers impersonate the connected administrator and issue arbitrary RPC actions, including uploading and auto-activating a malicious plugin for **remote code execution** and full site compromise. The vulnerability has been classified under `CWE-347`, with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The issue was reportedly discovered by researcher **vtim**, and the vendor released a patch that adds stricter return-value validation; administrators are being urged to update immediately.
Jun 18, 2026