Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated Privilege Escalation in Advanced Custom Fields: Extended for WordPress

IdentifiersCVE-2025-14533CWE-269· Improper Privilege Management

CVE-2025-14533 is a critical privilege-escalation vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin affecting versions up to and including 0.9.2.1. The flaw is in the plugin’s user form handling, specifically the insert_user() function in the acfe_module_form_action_user class, which fails to enforce server-side restrictions on assignable roles during user creation or update. When a public ACFE form is configured with a Create User or Update User action and the role attribute is mapped to a custom field, an unauthenticated attacker can submit a crafted request specifying a privileged role such as administrator. The plugin passes the supplied role into WordPress user creation logic without properly restricting it, resulting in creation or update of an account with elevated privileges.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to obtain administrator privileges on the target WordPress site. With administrator access, the attacker can fully compromise the site, including installing malicious plugins or themes, uploading backdoors, modifying theme files and site settings, creating additional administrator accounts for persistence, redirecting visitors to phishing or malware content, and conducting spam or SEO-poisoning activity. The CVSS context provided indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If patching cannot be performed immediately, disable or restrict any public-facing ACFE forms that use Create User or Update User actions, especially those with a mapped role field. Ensure the role attribute is not mapped to custom fields accessible to untrusted users. Disable public user registration where feasible, add server-side validation or WAF/firewall protections to block attempts to submit privileged roles, and limit exposure of registration/profile update endpoints until the plugin is updated.

Remediation

Patch, then assume compromise.

Upgrade Advanced Custom Fields: Extended to version 0.9.2.2 or later, which fixes the role-assignment validation issue. Review all ACFE forms that use Create User or Update User actions and confirm that role assignment is properly constrained. Audit for unauthorized administrator accounts and other persistence mechanisms if the plugin was exposed in a vulnerable configuration. Remove or disable vulnerable form workflows if immediate patching is not possible.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
nuclei templates pull requestsNews
Feb 7, 2026
Add CVE-2025-14533 - ACF Extended Unauthenticated Privilege Escalation by hevnsnt · Pull Request #15240 · projectdiscovery/nuclei-templates · GitHub

An unauthenticated privilege escalation vulnerability in the WordPress Advanced Custom Fields Extended (ACFE) plugin (<= 0.9.2.1) where the insert_user registration flow does not restrict user roles, enabling attackers to register with elevated roles. The same exposed AJAX endpoint is also used to confirm arbitrary function invocation, indicating broader impact.

Read more
the hacker newsNews
Jan 26, 2026
⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

Unknown

Read more
bleeping computerNews
Jan 20, 2026
ACF plugin bug gives hackers admin on 50,000 WordPress sites

Unauthenticated privilege escalation in the WordPress ACF Extended plugin allowing arbitrary role assignment (including administrator) during form-based user creation/update due to missing role restriction enforcement.

Read more
cyber security newsNews
Jan 20, 2026
WordPress Plugin Vulnerability Exposes 100,000+ Sites to Privilege Escalation Attacks

Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (acf-extended) WordPress plugin that allows an attacker to create a new user with the Administrator role by submitting a crafted registration/profile form request when a role field is mapped and backend role restrictions are not enforced.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-14533
NVD
nvd.nist.gov/vuln/detail/CVE-2025-14533
MITRE CWE · CWE-269
Improper Privilege Management
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve