A critical security flaw in the popular Advanced Custom Fields: Extended WordPress plugin has put more than 100,000 websites at risk of full takeover.
The vulnerability, tracked as CVE-2025-14533, affects plugin versions up to and including 0.9.2.1 and carries a CVSS score of 9.8 (Critical).
If left unpatched, it allows an unauthenticated attacker to gain administrator-level access on vulnerable sites by abusing the way user registration forms handle roles.
The issue stems from how the plugin manages user creation through custom forms. Site owners can build registration or profile forms using field groups that collect data such as username, email, password, and user role.
Under normal conditions, role selection should be tightly controlled so that only safe roles, like subscriber, are available to new users. In the vulnerable versions, this control breaks down, opening the door to abuse.
Wordfence analysts identified that the plugin’s insert_user form action does not properly restrict which roles can be assigned during registration when a role field is mapped.
This oversight means an attacker can submit a crafted request that sets their role to administrator, even if the form appears to limit options in the interface.
Once this request is processed, the attacker is created as a full admin on the site. After gaining administrative access, a threat actor can completely compromise the affected WordPress installation.
They can upload malicious plugins or themes with hidden backdoors, alter content to redirect visitors to phishing or malware sites, and plant spam or SEO poisoning payloads.
Given the plugin’s wide install base and the ease of exploitation when a vulnerable form is present, the impact is severe for any site that has exposed such a user action form to the public internet.
At the time of disclosure, the vendor released a fix in version 0.9.2.2, and security vendors have issued protections to block exploit attempts at the firewall level.
However, unpatched sites that rely only on application-level defenses remain attractive targets for opportunistic attackers scanning for misconfigured registration forms.
Vulnerability Details Table:-
| Field | Details |
|---|---|
| Vulnerability ID | CVE-2025-14533 |
| Plugin Name | Advanced Custom Fields: Extended |
| Plugin Slug | acf-extended |
| Affected Versions | <= 0.9.2.1 |
| Patched Version | 0.9.2.2 |
| Vulnerability Type | Unauthenticated Privilege Escalation |
| Attack Vector | Malicious user registration form submission |
| Required Conditions | Public form with mapped role field present |
| CVSS Score | 9.8 (Critical) |
| Installations Affected | 100,000+ active installs |
| Discovery Credit | andrea bocchetti via Wordfence Bug Bounty |
How does the privilege escalation work?
The core of this vulnerability lies in the plugin’s flexible form system, which is designed to let site owners create custom user management workflows without writing code.
In a typical setup, an administrator defines a field group that includes fields for user information and links it to a “Create user” or “Update user” form action.
One of these fields can be a role selector, which, on the surface, appears to be limited by an “Allow User Role” setting.
Behind the scenes, when a form is submitted, the plugin calls the insert_user() function inside the acfe_module_form_action_user class.
This function collects all submitted values, including any mapped role field, and passes them directly into WordPress’ native wp_insert_user() function.
The problem is that, in the vulnerable versions, the plugin never enforces the role restriction that the site owner configured in the field group.
The form settings give a sense of safety, but the backend logic does not honor those limits.
As a result, if a public-facing form includes a mapped role field, an unauthenticated attacker can bypass the visible role choices and send their own value, such as administrator, in the HTTP request.
Since the plugin does not validate or filter this role before user creation, WordPress accepts the request and creates a new account with full admin rights. There is no need for an existing account, social engineering, or password guessing.
Once inside as an administrator, an attacker has the same control as a legitimate site owner.
They can install a malicious plugin, modify theme files to inject backdoors, change site settings, or create additional administrator accounts to maintain access even if the first account is discovered and removed.
This makes CVE-2025-14533 a direct path to complete site compromise whenever the vulnerable configuration exists.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
