A critical-severity security vulnerability has been discovered in the ACF Extended plugin for WordPress, potentially allowing unauthenticated attackers to gain full administrator privileges on vulnerable websites.
ACF Extended is an add-on plugin designed for developers and advanced site builders, expanding the functionality of Advanced Custom Fields (ACF). The plugin is currently active on approximately 100,000 WordPress sites. But only 50,000 downloads happened after the update the fixed it. (yikes!)
What Is the Vulnerability?
The flaw, tracked as CVE-2025-14533, affects ACF Extended versions 0.9.2.1 and earlier. It can be exploited through the plugin’s “Insert User / Update User” form action, which allows user creation or modification via frontend forms.
Due to missing role enforcement, attackers can manipulate form submissions to assign arbitrary user roles, including administrator, even when role restrictions appear to be properly configured.
Security researchers at Wordfence explain that in vulnerable versions:
User role fields are not properly restricted, allowing attackers to set the role to “administrator” regardless of the intended configuration.
As with any privilege-escalation vulnerability, successful exploitation can lead to complete site compromise.
Important Limitation – Not All Sites Are Exploitable
Despite the severity, Wordfence emphasizes that the vulnerability is not universally exploitable.
Only sites that:
- Use ACF Extended’s “Create User” or “Update User” forms
- Have a role field mapped in those forms
are exposed to direct exploitation.
Sites that do not use these specific form features are not affected, even if they run a vulnerable plugin version.
Disclosure Timeline and Patch
- December 10, 2025: The issue was reported to Wordfence by security researcher Andrea Bocchetti
- Wordfence validated the vulnerability and escalated it to the plugin vendor
- Four days later, the vendor released a fix in ACF Extended version 0.9.2.2
According to download statistics from WordPress.org, around 50,000 downloads occurred after the patch was released. Assuming those were updates, a similar number of sites may still be running unpatched, vulnerable versions.
Growing WordPress Plugin Reconnaissance Activity
While no confirmed attacks targeting CVE-2025-14533 have been observed so far, threat monitoring firm GreyNoise reports large-scale reconnaissance activity targeting WordPress plugins.
From late October 2025 to mid-January 2026:
- Nearly 1,000 IP addresses
- Across 145 autonomous systems (ASNs)
- Targeted 706 WordPress plugins
- In over 40,000 enumeration events
The most frequently targeted plugins include:
- Post SMTP
- Loginizer
- LiteSpeed Cache
- SEO by Rank Math
- Elementor
- Duplicator
GreyNoise notes that some of these probes preceded real-world exploitation, such as:
- CVE-2025-11833 (Post SMTP), actively exploited in November 2025
- CVE-2024-28000 (LiteSpeed Cache), marked as exploited in August 2024
This pattern suggests attackers often scan first, then exploit once vulnerable targets are identified.
What WordPress Site Owners Should Do
If you use ACF Extended:
- Update immediately to version 0.9.2.2 or newer
- Review any frontend user-creation or update forms
- Audit admin accounts for anything suspicious
- Monitor logs for unusual user-related activity
Even without confirmed exploitation, plugin enumeration is already happening, and delayed patching significantly increases risk.
Final Takeaway
This vulnerability is a strong reminder that advanced plugins with frontend user logic carry elevated risk. Even well-configured role restrictions can fail if enforcement is missing at the code level.
After working with WordPress sites for years, this pattern keeps repeating:
sites don’t get hacked because they’re important. They get hacked because they’re outdated.
Most site owners don’t ignore updates out of laziness. Life gets busy. The site works, so touching it feels risky. But attackers don’t need your site to be famous or valuable. They only need it to be unpatched.
Security issues like this one are rarely dramatic on their own. They’re quiet. Boring. Easy to postpone. And that’s exactly why they’re dangerous.
Routine maintenance tasks like updates, plugin audits, access reviews, log checks matter. This isn’t about chasing perfection. It’s about reducing your attack surface and making sure known problems don’t stay open longer than they should.
Think of it like basic car maintenance:
You don’t wait for the engine to seize before changing the oil.
WordPress is no different. If your site is part of your business, your brand, or your income, keeping it updated isn’t ‘extra work’… it’s part of owning it.
A few minutes of maintenance today is always cheaper than cleaning up a compromised site tomorrow.
