ACF Extended Plugin Vulnerability – CVE-2025-14533

January 21, 2026 Faeem BLOGS 0

A critical privilege escalation flaw has been disclosed in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin, potentially exposing ~50,000 sites to complete compromise.

Vulnerability Details

  • CVE ID: CVE-2025-14533
  • Affected versions: ACF Extended 0.9.2.1 and earlier
  • Severity: Critical
  • Impact: Remote, unauthenticated attackers can gain administrator privileges.
  • Root cause:
    • Plugin’s Insert User / Update User form action does not enforce role restrictions.
    • Even if role limitations are configured, attackers can arbitrarily set the role field to “administrator.”
  • Exploit conditions: Only exploitable if a site uses a Create User or Update User form with a mapped role field.

Discovery & Patch

  • Discovered by: Andrea Bocchetti (Dec 10, 2025).
  • Validated by: Wordfence.
  • Vendor fix: Released in ACF Extended v0.9.2.2 (Dec 14, 2025).
  • Current exposure:
    • Plugin active on ~100,000 sites.
    • ~50,000 have updated to the patched version.
    • ~50,000 remain vulnerable.

Threat Landscape

  • No active exploitation yet, but reconnaissance activity is high.
  • GreyNoise findings (Oct 2025 – Jan 2026):
    • ~1,000 IPs across 145 ASNs probed 706 WordPress plugins.
    • Over 40,000 enumeration events recorded.
    • Most targeted plugins: Post SMTP, Loginizer, LiteSpeed Cache, Rank Math SEO, Elementor, Duplicator.
  • Recent exploitation examples:
    • CVE-2025-11833 (Post SMTP): Actively exploited in Nov 2025.
    • CVE-2024-28000 (LiteSpeed Cache): Exploited in Aug 2024.

Recommendations for Admins

  • Update immediately to ACF Extended v0.9.2.2 or later.
  • Audit site forms: Check for “Create User” or “Update User” forms with role fields.
  • Monitor logs: Look for suspicious user creation or role changes.
  • Harden WordPress:
    • Disable unnecessary plugins.
    • Apply least privilege principles.
    • Use Web Application Firewalls (WAF) to block exploit attempts.
  • Stay alert: Enumeration activity suggests attackers are preparing mass exploitation campaigns.

Takeaway

CVE-2025-14533 is a high-risk privilege escalation flaw that could lead to full site compromise if exploited. With half of the plugin’s user base still unpatched, the window for attackers remains wide open. Proactive patching and monitoring are critical to prevent exploitation.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.