Unauthenticated RCE in Advanced Custom Fields: Extended for WordPress

This repository is a small standalone Python exploit for CVE-2025-13486 affecting the Advanced Custom Fields: Extended (ACFE) WordPress plugin. The repository contains one primary code file (CVE-2025-13486.py), a README with exploitation guidance and vulnerability background, a requirements.txt listing httpx/packaging/socksio dependencies, and a standard Python .gitignore. The exploit workflow is straightforward: it sends an HTTP GET request to a user-supplied target page, parses the HTML to identify the ACFE asset version via the acfe-input.min.css?ver= pattern, and checks whether the version falls within the vulnerable range 0.9.0.5 to 0.9.1.1. If exploitation mode is enabled, it then extracts an ACFE nonce from the page source and submits crafted POST requests to the WordPress AJAX endpoint /wp-admin/admin-ajax.php using action=acfe/form/render_form_ajax. The first POST sets form[render]=wp_insert_user to create a new WordPress account with attacker-controlled username, password, and role; the second sets form[render]=wp_signon to authenticate as that user. On success, the script prints the returned authentication cookie. Primary capability: unauthenticated web exploitation leading to account creation and privilege escalation on vulnerable WordPress sites. Although the README describes the underlying issue as remote code execution through unsafe call_user_func_array handling, the provided exploit operationalizes that primitive specifically to create an administrator account and obtain a valid login session rather than delivering an arbitrary shell payload. Notable implementation details: the script supports custom headers, proxying, configurable timeout, and custom username/password/role values. It disables TLS verification in the HTTP client. The code is operational but basic, with hardcoded exploitation logic and no modular payload system, which fits an OPERATIONAL maturity assessment rather than a framework-grade weaponized exploit.

This repository contains a Python exploit script (CVE-2025-13486.py) targeting a remote code execution and privilege escalation vulnerability in the Advanced Custom Fields: Extended (ACFE) WordPress plugin, versions 0.9.0.5 through 0.9.1.1. The exploit leverages improper input validation in the plugin's prepare_form() function, allowing unauthenticated attackers to create arbitrary administrator accounts via crafted HTTP requests to the /wp-admin/admin-ajax.php endpoint. The script first checks for vulnerability by parsing the plugin version from the target site, then optionally performs exploitation to create a new admin user and retrieve authentication cookies. The repository includes a README with detailed usage instructions, references, and a requirements.txt for dependencies. The exploit is operational, providing a working payload that results in full admin access to vulnerable WordPress sites.

This repository provides a working exploit for CVE-2025-13486, a critical unauthenticated remote code execution vulnerability in the Advanced Custom Fields: Extended (ACFE) WordPress plugin (versions 0.9.0.5 through 0.9.1.1). The exploit consists of a Python script (exploit.py) that automates both verification and exploitation. It first attempts to extract a required ACF nonce from the target site's public pages (/, /contact, /contact-us, /register, /signup, /apply). Once the nonce is obtained, the script sends a crafted POST request to the /wp-admin/admin-ajax.php endpoint, abusing the vulnerable 'acfe/form/render_form_ajax' action to call arbitrary PHP functions. In exploitation mode, it uses this to invoke 'wp_insert_user' and create a new administrator account with attacker-controlled credentials. The repository also includes a Nuclei-compatible YAML template (CVE-2025-13486.yaml) for automated detection and verification, a detailed README.md with usage instructions, and a LICENSE file. The exploit is operational and provides full administrative access to vulnerable WordPress sites. No hardcoded IPs or domains are present; all endpoints are relative to the user-supplied target URL.

This repository contains a Python exploit script (CVE-2025-13486.py) and a README.md. The exploit targets the Advanced Custom Fields: Extended WordPress plugin (versions 0.9.0.5 to 0.9.1.1), exploiting an unauthenticated remote code execution vulnerability in the prepare_form() function. The script can verify if a target is vulnerable by sending a marker and checking for its presence in the response. If vulnerable, it exploits the flaw by sending a crafted POST request to /wp-admin/admin-ajax.php, invoking the wp_insert_user function to create a new admin user with attacker-supplied credentials. The script supports both single and mass exploitation (via a list of targets), and can save successful results to a file. The README provides usage instructions, options, and a disclaimer. No hardcoded C2 or external network endpoints are present; all network activity is directed at the target WordPress site. The exploit is operational, providing a working payload that grants admin access to the attacker.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-13486, a remote code execution vulnerability in the Advanced Custom Fields: Extended (ACFE) WordPress plugin (versions 0.9.0.5 through 0.9.1.1). The repository consists of two files: a README.md with detailed usage instructions and vulnerability background, and poc.py, a Python script implementing the exploit logic. The script supports two modes: verification (non-destructive, using print_r to confirm vulnerability) and exploitation (creating a new administrator user on the target WordPress site). The exploit works by sending crafted POST requests to the /wp-admin/admin-ajax.php endpoint, abusing the acfe/form/render_form_ajax action to invoke arbitrary PHP functions. The script automatically attempts to extract the required nonce from the target site. The main attack vector is network-based, targeting accessible WordPress installations. No hardcoded IPs or domains are present; the target is supplied by the user. The code is a functional PoC and does not belong to any exploit framework.