CVE-2025-13486

Advanced Custom Fields: Extended and Affected Versions Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1

Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows for Remote Code Execution (RCE). This is due to the prepare form() function accepting user input and passing it through call user func array(). This allows unauthenticated attackers to execute arbitrary code on the server, potentially enabling them to inject backdoors or create new administrative user accounts. Approximately 100,000 WordPress sites are estimated to be affected. Attackers can exploit this by sending a specially crafted request to the server. The prepare form() function is the point of entry for this issue.

Recommendations Update to Advanced Custom Fields: Extended version 0.9.2 or later.