A critical security vulnerability (CVE-2025-14533) affecting the popular Advanced Custom Fields: Extended WordPress plugin has exposed over 100,000 websites to potential full takeover. The flaw, with a CVSS score of 9.8 (Critical), allows unauthenticated attackers to escalate their privileges to administrator level by exploiting how user registration forms handle roles.
The vulnerability impacts plugin versions up to and including 0.9.2.1. Exploitation is possible if a site utilizes the plugin’s functionality to create public-facing user registration forms that include a mapped role field. This oversight enables attackers to bypass intended role restrictions and gain administrative access, posing a severe risk to compromised installations.
Understanding the WordPress Plugin Vulnerability
Wordfence analysts discovered that the insert_user function within the Advanced Custom Fields: Extended plugin does not adequately validate user roles during the registration process when a role field is properly configured. This means that even if a site administrator intends to restrict new user roles to basic permissions, such as “subscriber,” an attacker can submit a specially crafted request to assign themselves the “administrator” role.
This privilege escalation vulnerability bypasses the user interface controls that might suggest role limitations. Once an attacker achieves administrator status, they gain complete control over the affected WordPress site. This level of access allows for the installation of malicious plugins, injection of backdoors through theme modifications, alteration of website content for phishing or malware distribution, and the deployment of spam or SEO poisoning payloads.
The ease with which this vulnerability can be exploited, especially when a public-facing registration form with a mapped role field is present, makes it a significant threat for a large number of websites. An attacker scanning for such misconfigurations can achieve a full site compromise without prior authentication or any advanced technical skills. The widespread use of the Advanced Custom Fields: Extended plugin amplifies the potential impact.
How the Privilege Escalation Works
The Advanced Custom Fields: Extended plugin is designed to offer flexibility in managing user data and roles through custom forms without requiring custom coding. Site owners can construct field groups for user registration or profile updates, including options for usernames, emails, passwords, and importantly, user roles.
Normally, a security-conscious administrator would restrict the available user roles for new registrations to safe options. However, in the vulnerable versions of the ACF: Extended plugin, this intended restriction fails. The plugin’s insert_user() function, located within the acfe_module_form_action_user class, processes submitted form data, including the role field, and passes it directly to WordPress’s native wp_insert_user() function. The critical flaw is that the plugin does not enforce the role restrictions configured by the site administrator before this function is called.
Consequently, an unauthenticated attacker can manipulate an HTTP request to specify a high-privilege role, such as “administrator,” regardless of the visible options presented on the registration form. WordPress, upon receiving this request from the plugin, creates the new user account with the assigned administrator privileges. This bypasses the need for any existing credentials, social engineering, or brute-force attacks.
With administrator privileges, an attacker possesses the same capabilities as a legitimate site owner. This includes the ability to install rogue plugins, modify theme files to embed malicious code, alter site settings, or even create additional administrator accounts to maintain persistent access. The CVE-2025-14533 vulnerability represents a direct pathway to a complete website compromise when the susceptible configuration is present.
Mitigation and Future Outlook
Recognizing the severity of this WordPress plugin vulnerability, the vendor has released a patched version, 0.9.2.2. Security vendors have also implemented protections at the firewall level to block attempts to exploit this flaw. However, websites that have not yet updated their plugin and rely solely on external security measures remain vulnerable.
Opportunistic attackers continue to scan the internet for websites that have not applied the necessary updates. The onus is on website administrators to ensure their Advanced Custom Fields: Extended plugin is updated to the latest secure version immediately. Failure to do so leaves them at a significant risk of a full site takeover, which can have severe consequences for data integrity, user trust, and business operations.
The next expected step for administrators is to verify their plugin version and update it promptly. The ongoing scanning by attackers means that unpatched sites will remain attractive targets. Vigilance and proactive security practices are essential in safeguarding WordPress websites against such critical privilege escalation vulnerabilities.