A critical security vulnerability has been identified in the Advanced Custom Fields: Extended WordPress plugin, exposing more than 100,000 websites to the risk of complete compromise. The flaw allows attackers to gain full administrator access without authentication, making it especially dangerous for sites with public-facing forms.
Vulnerability Overview
Tracked as CVE-2025-14533, the issue affects plugin versions up to 0.9.2.1 and carries a CVSS score of 9.8 (Critical). The vulnerability arises from improper handling of user roles during account creation, allowing privilege escalation at the point of registration.
How the Attack Works
The plugin enables site owners to create custom user registration and profile forms using field groups. These forms may collect standard details such as usernames, email addresses, passwords, and user roles. While the interface appears to limit which roles can be selected, the backend logic fails to enforce these restrictions.
An unauthenticated attacker can submit a crafted request to a public registration form and manually assign the administrator role. Because the plugin does not validate this value before passing it to WordPress, the platform creates a new account with full admin privileges.
Once administrative access is obtained, an attacker has complete control over the affected website.
This includes the ability to install malicious plugins or themes, inject persistent backdoors, alter site content, redirect visitors to malicious destinations, and create additional administrator accounts to maintain long-term access.
Remediation and Risk
The vulnerability was discovered by researchers from Wordfence, and the plugin developer has addressed the issue in version 0.9.2.2. Despite this, any site that has not applied the update and continues to expose vulnerable forms remains at high risk of exploitation.
Site owners are strongly advised to update immediately and review their user registration workflows to ensure no role assignment fields are exposed publicly.
Leave A Comment