A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields ecosystem. An advisory issued about the flaw assigns a severity rating of 9.8, emphasizing the serious impact it can have if exploited.
Unauthenticated Privilege Escalation Threatens WordPress Sites
The vulnerability could allow unauthenticated attackers to register new user accounts with administrator-level privileges, potentially giving them complete control over affected WordPress sites. Since no prior access or compromised credentials are needed, the exposure is far higher than typical privilege escalation flaws that require existing user permissions. Any site running a vulnerable version of the plugin with certain configurations in place could be targeted by attackers anywhere on the internet.
The Advanced Custom Fields: Extended plugin is widely used by WordPress developers and site owners to enhance how custom fields operate. As an ACF add-on plugin, it provides tools for managing front-end forms, creating options pages, defining custom post types and taxonomies, and customizing the WordPress admin interface.
How the ACF Addon Plugin Flaw Works
The issue lies in the privilege escalation vulnerability caused by missing role restrictions during user registration. Specifically, the plugin’s insert_user function does not enforce limits on which WordPress roles can be assigned when a new account is created. Under normal circumstances, WordPress strictly controls role assignment during registration to prevent unauthorized privilege elevation. In this case, that safeguard was bypassed.
Exploitation requires that the site uses a front-end form provided by the plugin, and that the form maps a custom field directly to the WordPress user role. When this configuration exists, the plugin accepts the submitted role value without verifying whether it is permitted. Essentially, the plugin relied on the HTML form to restrict role selection, without performing proper server-side validation.
For example, a developer might configure a registration form to display only the “subscriber” role. However, an attacker could inspect the form’s HTML, intercept the HTTP request, and modify the submitted value from role=subscriber to role=administrator. The plugin would then pass this value directly to WordPress’s user creation functions without validation, granting full administrator access.
The plugin changelog confirms that these issues have been addressed. Fixes include:
- “Enforced front-end fields validation against their respective ‘Choices’ settings.”
- “Module: Forms – Added security measure for forms allowing user role selection.”
These updates introduce stronger server-side protections and improve validation for front-end forms, especially when user role selection is involved.
If exploited, attackers can install or modify plugins and themes, inject malicious code, create backdoor administrator accounts, steal or manipulate site data, redirect visitors, or distribute malware. In effect, this represents a complete WordPress site takeover.
Patches, Updates, and Steps for Site Owners
The vulnerability affects all versions up to and including 0.9.2.1. It has been patched in version 0.9.2.2, which introduces multiple validation hooks and enhanced security checks for front-end forms and user role handling. Notable updates in the changelog include:
- Module: Forms – Enforced front-end fields validation against their respective ‘Choices’ settings
- Module: Forms – Added security measure for forms, allowing user role selection
- Module: Forms – Added acfe/form/validate_value hook to validate fields individually on the front
- Module: Forms – Added acfe/form/pre_validate_value hook to bypass enforced validation
Site owners using this ACF add-on plugin should update immediately to the latest version. If an update is not feasible, disabling the plugin until the patch can be applied is strongly recommended. Given the severity of the flaw, the lack of authentication required to exploit it, and evidence of active exploitation, any delay leaves WordPress sites exposed to complete compromise.