CVE-2025-14533

Advanced Custom Fields: Extended Plugin Advanced Custom Fields: Extended versions up to and including 0.9.2.1

Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows unauthenticated attackers to gain administrator access. This is due to insufficient restrictions within the insert user function, which allows attackers to assign themselves the 'administrator' role during user registration, provided the 'role' parameter is mapped to a custom field. Approximately 100,000 websites are potentially affected. The issue can be exploited by submitting a crafted registration request. The wp insert user() function is abused to escalate privileges. The vulnerability allows for full site takeover, including the ability to upload malicious plugins and backdoors. A scanning campaign targeting WordPress plugins has been detected, potentially seeking to identify vulnerable sites.

Recommendations Update to version 0.9.2.2 or later. Disable user registration until a patch is applied. Strip the role parameter from registration requests as a temporary mitigation. Review recent user registrations for unauthorized administrator accounts.