41/69 Thursday, January 22, 2026
Cybersecurity researchers have disclosed a critical security vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, which could allow unauthenticated remote attackers to escalate their privileges to Administrator level. The vulnerability, tracked as CVE-2025-14533, affects ACF Extended versions 0.9.2.1 and earlier. The plugin is reportedly installed on approximately 100,000 websites worldwide.
The root cause of the vulnerability is improper enforcement of user role restrictions during user creation or modification via the Insert User / Update User functionality. As a result, attackers can arbitrarily assign user roles-including the Administrator role-even when role limitations are configured. Researchers from Wordfence warn that this flaw could lead to a full website takeover. However, exploitation is only possible on sites that use user creation or update forms with a role field mapped to those forms.
The vulnerability was discovered by security researcher Andrea Bocchetti and reported to Wordfence on December 10, 2025. The plugin developer released a patch in version 0.9.2.2 within four days. Despite this, download statistics indicate that around 50,000 websites may still be running vulnerable versions. Meanwhile, GreyNoise reports observing widespread reconnaissance activity targeting WordPress plugins to identify vulnerable sites. Although no confirmed exploitation of this specific vulnerability has been observed yet, administrators are strongly advised to update the plugin immediately and review related form configurations to mitigate potential security risks.
