CVE-2026-8809

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields: Extended versions prior to 0.9.2.6

Description The plugin is subject to privilege escalation through a validation bypass. The after validate save post() function trusts the acf post id POST parameter without authentication or integrity verification. This allows unauthenticated attackers to select a cleanup branch that discards validation errors not prefixed with acfe:. Consequently, attackers can suppress the role allow-list validation error from acfe field user roles::validate front value() and the administrator-role capability guard error from acfe module form action user::validate action(). This leads to the execution of wp insert user() with an attacker-supplied administrator role, enabling the creation of a new administrator-level user account. This issue requires the target site to have a public ACFE frontend form configured with a Create User action that maps a role field.

Recommendations Update the plugin to version 0.9.2.6 or later.