Critical Privilege Escalation Vulnerability in ACF Extended Plugin
Summary
Hide ▲
Show ▼
A critical-severity vulnerability (CVE-2025-14533) in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress allows unauthenticated attackers to gain administrative privileges. The flaw affects versions 0.9.2.1 and earlier, impacting approximately 50,000 WordPress sites. The issue arises from the lack of role restrictions during user creation or updates, enabling attackers to arbitrarily set user roles to 'administrator'. The vulnerability was discovered by Andrea Bocchetti and patched in version 0.9.2.2, released on December 14, 2025. GreyNoise reports large-scale WordPress plugin reconnaissance activity, with 1,000 IPs across 145 ASNs targeting 706 distinct plugins, including ACF Extended, in over 40,000 enumeration events from late October 2025 to mid-January 2026.
Timeline
-
21.01.2026 00:12 1 articles · 23h ago
CVE-2025-14533 in ACF Extended Plugin Patched
A critical-severity vulnerability in the ACF Extended plugin, tracked as CVE-2025-14533, was discovered by Andrea Bocchetti and reported to Wordfence on December 10, 2025. The vendor released a patch in version 0.9.2.2 on December 14, 2025. The flaw allows unauthenticated attackers to gain administrative privileges by exploiting the 'Insert User / Update User' form action. Approximately 50,000 WordPress sites remain potentially vulnerable if they have not updated to the latest version.
Show sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
Information Snippets
-
The vulnerability, CVE-2025-14533, affects ACF Extended versions 0.9.2.1 and earlier.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
The flaw allows unauthenticated attackers to gain administrative privileges by abusing the 'Insert User / Update User' form action.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
The issue arises from the lack of enforcement of role restrictions during form-based user creation or updates.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
The vulnerability was discovered by Andrea Bocchetti and reported to Wordfence on December 10, 2025.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
The vendor released a patch in ACF Extended version 0.9.2.2 on December 14, 2025.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
Approximately 50,000 WordPress sites remain potentially vulnerable if they have not updated to the latest version.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
GreyNoise reports large-scale WordPress plugin reconnaissance activity targeting 706 distinct plugins, including ACF Extended.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12
-
The reconnaissance activity involved 1,000 IPs across 145 ASNs and over 40,000 unique enumeration events from late October 2025 to mid-January 2026.
First reported: 21.01.2026 00:121 source, 1 articleShow sources
- ACF plugin bug gives hackers admin on 50,000 WordPress sites — www.bleepingcomputer.com — 21.01.2026 00:12