ACF plugin vulnerability allows attackers to gain administrator access on 50,000 WordPress sites Source: BleepingComputer www.bleepingcomputer.com/news/secu… A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress allows unauthenticated remote attackers to obtain administrative privileges. ACF Extended is currently active on approximately 100,000 websites. It is a specialised plugin that extends the functionality of the Advanced Custom Fields (ACF) plugin, providing additional capabilities for developers and advanced site builders. The vulnerability, tracked as CVE-2025-14533, can be exploited to gain administrator access by abusing the plugin’s “Insert User / Update User” form action. The issue affects ACF Extended versions 0.9.2.1 and earlier.
ACF plugin vulnerability allows attackers to gain administrator access
Edward Kiledjian
@ekiledjian