Unauthenticated Privilege Escalation in WordPress *Advanced Custom Fields: Extended* (CVE-2025-14533)
A critical vulnerability, CVE-2025-14533, was disclosed in the WordPress plugin Advanced Custom Fields: Extended affecting versions <= 0.9.2.1. The issue is an unauthenticated privilege escalation in the plugin’s user-form handling, where the insert_user logic does not properly restrict which roles can be assigned during registration; as a result, an attacker can submit a registration request specifying the administrator role and obtain full administrative access under certain configurations.
Reporting indicates exploitation depends on site configuration: the flaw is reachable when a form is set up such that the role value is mapped to a custom field / user role field is present in the form. The weakness was identified by Andrea Bocchetti via the Wordfence Bug Bounty Program, and is associated with CWE-269 (Improper Privilege Management); once admin access is obtained, attackers can fully compromise the site (e.g., upload malicious plugins/themes, plant backdoors, or alter content for redirects).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Follow-up reporting cites evidence of active exploitation risk
Subsequent coverage on January 21, 2026 said there was evidence of active exploitation or heightened attacker interest around the flaw, while continuing to urge immediate updates or plugin disablement where patching was not possible. Other reports remained more cautious, noting no direct exploitation of CVE-2025-14533 had been observed.
Reports highlight patch adoption gap among ACF Extended sites
Follow-up coverage said many sites remained exposed despite the fix, with estimates suggesting nearly half of the plugin's roughly 100,000 sites could still be vulnerable. One report noted about 50,000 downloads after the patch, implying a substantial number of installations may still be running older versions.
Wordfence/CVE records publish technical details and affected conditions
On the same day as disclosure, vulnerability records and advisories documented that the flaw stems from insufficient permission validation in the plugin's insert_user logic and is exploitable only when a public Create User or Update User form maps the role parameter. The CVE entry also recorded receipt by security@wordfence.com and linked technical references.
CVE-2025-14533 is publicly disclosed as critical ACF Extended bug
Public reporting disclosed CVE-2025-14533, a critical 9.8-severity vulnerability in ACF Extended versions up to 0.9.2.1 that can let unauthenticated attackers create administrator accounts when vulnerable forms expose a mapped role field. Advisories warned that successful exploitation could lead to full WordPress site compromise.
Vendor patches CVE-2025-14533 in ACF Extended 0.9.2.2
The ACF Extended vendor fixed the unauthenticated privilege-escalation flaw in version 0.9.2.2. Multiple reports state the patch was released four days after disclosure to Wordfence, addressing missing server-side enforcement of role restrictions in user form handling.
Researcher reports ACF Extended flaw to Wordfence
Security researcher Andrea Bocchetti reported the ACF Extended privilege-escalation vulnerability to Wordfence. BleepingComputer says the report was submitted on December 10, 2025 through the Wordfence Bug Bounty Program.
GreyNoise observes broad WordPress plugin reconnaissance activity
GreyNoise reported widespread WordPress plugin enumeration activity occurring from late October 2025 through mid-January 2026. The activity was described as broad reconnaissance across plugins rather than confirmed exploitation of CVE-2025-14533 specifically.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
ACF Extended WordPress plugin flaw poses admin permission compromise risk | SC Media
scworld.com
Open sourceCritical ACF Add-on Plugin Flaw Exposes WordPress Sites
thecyberexpress.com
Open sourceACF plugin bug gives hackers admin on 50,000 WordPress sites
bleepingcomputer.com
Open sourceWordPress Plugin Vulnerability Exposes 100,000+ Sites to Privilege Escalation Attacks
cybersecuritynews.com
Open sourceCVE-2025-14533 - Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
cvefeed.io
Open sourceCritical Flaw in "Advanced Custom Fields: Extended" Exposes 100K WordPress Sites to Takeover
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated Remote Code Execution in Advanced Custom Fields: Extended WordPress Plugin
A critical unauthenticated remote code execution vulnerability has been identified in the *Advanced Custom Fields: Extended* plugin for WordPress, affecting versions 0.9.0.5 through 0.9.1.1. The flaw resides in the `prepare_form()` function, which improperly handles user input by passing it directly to `call_user_func_array()`, enabling attackers to execute arbitrary code on the server without authentication. This vulnerability allows threat actors to inject backdoors, create new administrative accounts, and potentially take full control of affected WordPress sites. Security researchers warn that exploitation of this vulnerability could lead to complete compromise of website integrity and confidentiality, including data theft and malware installation. Administrators are strongly advised to update the plugin to a secure version, implement Zero Trust security models, enable multi-factor authentication for admin accounts, and harden PHP configurations. The vulnerability is mapped to MITRE ATT&CK techniques T1059 (Command and Scripting Interpreter) and T1190 (Exploit Public-Facing Application).
Mar 21, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026
WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to **Administrator** by abusing improper handling of user profile metadata. `CVE-2026-4261` affects **Expire Users** through version `1.2.2`, where the `save_extra_user_profile_fields` function allows modification of the `on_expire_default_to_role` meta value; an authenticated attacker with **Subscriber-level access or higher** can exploit the flaw to gain full administrative control. The issue was classified as `CWE-862` and carries a high-severity `CVSS v3.1` score with the vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-3629`, impacts **Import and export users and customers** through version `1.29.7` and can, under specific conditions, allow even **unauthenticated** attackers to become administrators. The plugin's `save_extra_user_profile_fields` logic fails to block sensitive keys such as `wp_capabilities` because `get_restricted_fields` does not restrict them, enabling a crafted registration request to assign elevated privileges when **"Show fields in profile"** is enabled and a previously imported CSV included a `wp_capabilities` column header. That vulnerability was classified as `CWE-269` with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 23, 2026