Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ACF Extended role-restriction flaw (CVE-2025-14533)

Vulnerability
First reported
Last updated
Happening score
H score 0
1 unique sources, 1 articles

Summary

Hide ▲

A critical CVE-2025-14533 flaw in ACF Extended lets unauthenticated remote attackers gain administrator access and can lead to complete site compromise on 0.9.2.1 and earlier. The bug abuses the Insert User / Update User form action when a role field is mapped, bypassing configured role restrictions. The vendor released 0.9.2.2 to fix the issue, and the plugin is active on about 100,000 websites.

Related Happenings

Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)

Advisory/Mitigation
First: 03.02.2026 18:15 Last: 03.02.2026 18:15 Sources 1

About this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...

Open Happening

Timeline

  1. 20.01.2026 02:00 2 articles · 4mo ago

    GreyNoise reports widespread WordPress plugin reconnaissance

    Campaign Scope Update

    GreyNoise reported broad WordPress plugin reconnaissance on January 20, 2026, noting that from late October 2025 to mid-January 2026 nearly 1,000 IPs across 145 ASNs carried out over 40,000 unique enumeration events against 706 distinct WordPress plugins, while no attacks targeting CVE-2025-14533 had been observed yet.

    Show sources
    Open in new tab
  2. 14.12.2025 02:00 1 articles · 5mo ago

    Vendor releases ACF Extended 0.9.2.2

    Mitigation Patch Update

    The ACF Extended vendor addressed CVE-2025-14533 and released version 0.9.2.2 on December 14, 2025, closing the role-enforcement flaw that let Create User and Update User forms with a mapped role field assign arbitrary privileges, including administrator access.

    Show sources
    Open in new tab
  3. 10.12.2025 02:00 1 articles · 5mo ago

    Researcher reports CVE-2025-14533 to Wordfence

    Initial Disclosure

    Security researcher Andrea Bocchetti submitted a report to Wordfence on December 10, 2025 to validate CVE-2025-14533 in ACF Extended, where unauthenticated remote attackers could abuse the Insert User / Update User form action in version 0.9.2.1 and earlier to obtain administrative permissions despite configured role restrictions.

    Show sources
    Open in new tab