A critical vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin allows unauthenticated attackers to gain administrative control of affected websites. Tracked as CVE-2025-14533, the flaw exists in the plugin’s "Insert User / Update User" form action and impacts versions 0.9.2.1 and earlier. Despite the plugin’s role field settings, attackers can arbitrarily assign the administrator role during user creation or updates, leading to complete site compromise.
The vulnerability was responsibly disclosed, and a patched version (0.9.2.2) was released in December 2025. While approximately 50,000 sites have updated, a similar number remain vulnerable if they have not installed the fix. The exploit requires that the targeted site uses a specific form with a role field, limiting its universal applicability but still posing a severe risk to configured installations.
Although no active exploitation has been observed, widespread reconnaissance campaigns are scanning for vulnerable WordPress plugins, including ACF Extended. Security firms have noted heightened scanning activity targeting other recently patched plugins, such as Post SMTP and LiteSpeed Cache. This underscores the importance of promptly applying security updates to all WordPress components to prevent potential breaches.
Read more...