New Delhi: A critical security vulnerability discovered in the widely used Advanced Custom Fields: Extended (ACF Extended) WordPress plugin has placed more than 100,000 websites at risk of potential full compromise, according to security researchers and official vulnerability disclosures.
The flaw, tracked as CVE-2025-14533, affects all plugin versions up to and including 0.9.2.1 and has been assigned a CVSS score of 9.8, placing it in the critical severity category. If left unpatched, the vulnerability allows an unauthenticated attacker to obtain administrator-level access, effectively taking complete control of an affected website.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Weak role validation identified as root cause
Security analysts said the issue is linked to the plugin’s functionality that allows site owners to create custom user registration and profile forms without writing code. These forms typically collect user details such as usernames, email addresses, passwords and assigned user roles.
Under normal WordPress security controls, role assignment during user registration is tightly restricted to prevent new users from receiving elevated privileges. However, in the affected versions of ACF Extended, these safeguards are not properly enforced.
Researchers from Wordfence, who identified the flaw through a bug bounty submission credited to Andrea Bocchetti, found that the plugin’s insert_user form action fails to adequately restrict role values when a role field is mapped in a public-facing form.
Lack of backend validation enables abuse
By exploiting this weakness, an attacker can submit a specially crafted HTTP request that explicitly sets the user role to administrator. Even if the form interface visually limits role selection, the backend logic does not validate or filter the supplied value.
The plugin then passes this unverified input directly to WordPress’ native wp_insert_user() function, resulting in the creation of a new user account with full administrative privileges. The process does not require an existing account, password guessing or social engineering techniques.
Low complexity, high impact vulnerability
Security experts noted that exploitation requires no prior authentication, no user interaction and no advanced technical skills, provided a vulnerable public-facing form exists on the site.
Once administrative access is obtained, an attacker can install malicious plugins or themes, alter website content, redirect visitors to phishing or malware-hosting pages, inject spam or SEO manipulation code, and create additional administrator accounts to maintain long-term control.
Given the plugin’s large install base and the relatively simple exploitation conditions, analysts said the potential impact is significant, particularly for business, media and e-commerce websites.
Affected versions and remediation
The vulnerability impacts the Advanced Custom Fields: Extended plugin (slug: acf-extended) in versions 0.9.2.1 and earlier. The developer has addressed the issue in version 0.9.2.2, which introduces strict server-side validation of user roles during form submissions.
Website operators have been advised to update immediately to the patched version. In addition, several security vendors have implemented firewall-level protections to block exploitation attempts. However, experts cautioned that sites relying solely on application-level defenses remain exposed if updates are delayed.
Conditions required for exploitation
According to the disclosure, exploitation is only possible when a website hosts a publicly accessible form that maps a user role field to a user creation or update action. Sites without such exposed forms are not directly affected, though security professionals recommend updating regardless to eliminate latent risk.
Broader implications for WordPress security
The disclosure of CVE-2025-14533 highlights persistent risks associated with plugin-driven user management features in WordPress environments. Security professionals noted that improperly validated form systems continue to be a common pathway for privilege escalation attacks.
With WordPress powering a substantial portion of the global web, vulnerabilities that allow unauthenticated administrator access are considered among the most serious, as they bypass traditional login, brute-force and social engineering barriers entirely.
Website owners have been urged to audit installed plugins, remove unnecessary public-facing forms, apply updates promptly, and deploy layered security controls such as web application firewalls and activity monitoring.
Given its severity and ease of exploitation, CVE-2025-14533 is expected to remain a high-priority remediation issue for WordPress site owners and managed hosting providers in the coming weeks.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
