Ethical Hacking News
A critical vulnerability has been discovered in the Advanced Custom Fields: Extended plugin for WordPress, exposing approximately 50,000 websites to remote admin access. The vulnerability, tracked as CVE-2025-14533, arises from the lack of enforcement of role restrictions during form-based user creation or updates and can be leveraged by unauthenticated attackers to exploit the plugin's 'Insert User / Update User' form action in earlier versions. While no attacks have been observed yet, this discovery underscores the importance of keeping plugins up-to-date and patching vulnerabilities as soon as possible.
A vulnerability (CVE-2025-14533) has been discovered in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress. The vulnerability can be exploited by unauthenticated attackers to gain remote admin access to affected websites. Approximately 50,000 websites are estimated to be exposed due to this vulnerability. The issue arises from the lack of role restrictions during user creation or updates in earlier versions of the plugin. A fix was released in version 0.9.2.2, but roughly half of users may still be using an older version. Attackers are actively targeting vulnerable sites for enumeration, highlighting the importance of timely patching and robust security measures.
The world of online security has witnessed numerous instances of critical vulnerabilities being discovered and exploited. A recent discovery has brought attention to a severe vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, which has left an estimated 50,000 websites exposed to remote admin access.
ACF Extended is a specialized plugin designed to extend the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders. The vulnerability, tracked as CVE-2025-14533, can be leveraged by unauthenticated attackers to exploit the plugin's 'Insert User / Update User' form action in versions 0.9.2.1 and earlier.
According to Wordfence, a security firm that has been tracking this issue, the flaw arises from the lack of enforcement of role restrictions during form-based user creation or updates. This allows attackers to set an arbitrary user role, including 'administrator', regardless of the field settings configured in the plugin.
The impact of this vulnerability is severe, as it can be used for complete site compromise. Andrea Bocchetti, a security researcher who discovered the issue and submitted it to Wordfence for validation and escalation, warned that "as with any privilege escalation vulnerability, this can be used for complete site compromise."
In response to the discovery of CVE-2025-14533, the vendor of ACF Extended released version 0.9.2.2 in early December 2025, which addressed the issue.
However, it appears that roughly half of the users who downloaded the plugin since its release have still been using an earlier version. Assuming all downloads were for the latest version, this leaves approximately equal numbers of sites exposed to attacks.
Threat monitoring firm GreyNoise has also reported large-scale WordPress plugin reconnaissance activity aimed at enumerating potentially vulnerable sites. According to their records, nearly 1,000 IPs across 145 ASNs targeted 706 distinct WordPress plugins in over 40,000 unique enumeration events between late October 2025 and mid-January 2026.
The most targeted plugins were Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator.
This activity suggests that attackers are actively seeking out vulnerable sites to exploit. Although no attacks targeting CVE-2025-14533 have been observed yet, the discovery of this vulnerability highlights the importance of keeping plugins up-to-date and patching vulnerabilities as soon as possible.
In light of this recent discovery, security teams should take steps to ensure their WordPress installations are protected against such exploits. This includes regularly updating plugins to their latest versions and implementing robust security measures, such as regular security audits and penetration testing.
Furthermore, the widespread adoption of the ACF Extended plugin underscores the need for developers and site builders to be vigilant when it comes to the security of their online platforms. As the landscape of online threats continues to evolve, it is crucial that we remain proactive in identifying and addressing vulnerabilities before they can be exploited.
In conclusion, the discovery of CVE-2025-14533 highlights the importance of timely patching and robust security measures in protecting online platforms from exploitation. By staying vigilant and taking proactive steps to address vulnerabilities, we can help prevent successful attacks on our online presence.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Advanced-Custom-Fields-Extended-Exposes-50000-WordPress-Sites-to-Remote-Admin-Access-ehn.shtml
https://www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
https://www.wordfence.com/blog/2025/04/50000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-uncanny-automator-wordpress-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2025-14533
https://www.cvedetails.com/cve/CVE-2025-14533/
Published: Tue Jan 20 16:25:25 2026 by llama3.2 3B Q4_K_M
