WordPress ACF Extended Bug Lets Anyone Become Admin

A critical privilege escalation vulnerability in the Advanced Custom Fields: Extended plugin allows unauthenticated attackers to register administrator accounts on WordPress sites. CVE-2025-14533 carries a CVSS score of 9.8 and affects all versions through 0.9.2.1 of the plugin, which has over 100,000 active installations.

Wordfence disclosed the flaw on January 20 after the developer released version 0.9.2.2 with a fix. No active exploitation has been observed yet, but large-scale WordPress plugin reconnaissance suggests attackers are already cataloging vulnerable sites.

How the Attack Works

ACF Extended provides form actions that let developers create user registration workflows. The "Insert User / Update User" action handles account creation—but versions 0.9.2.1 and earlier fail to enforce role restrictions server-side.

Even when administrators configure forms to only allow specific roles during registration, attackers can bypass those settings. By submitting a form request with the 'administrator' role value, an unauthenticated user gains full admin access to the WordPress installation.

From Wordfence's advisory: "The flaw arises from the lack of enforcement of role restrictions during form-based user creation or updates, and exploitation works even when role limitations are appropriately configured in the field settings."

The vulnerability only affects sites where a form with user creation capabilities has the 'role' field mapped to a custom field. Sites not using ACF Extended's user registration forms aren't vulnerable, but many sites using the plugin likely have such forms deployed.

Reconnaissance Activity Precedes Exploitation

GreyNoise observed substantial WordPress plugin enumeration activity from late October 2025 through mid-January 2026. Nearly 1,000 IP addresses across 145 autonomous systems targeted 706 distinct WordPress plugins in over 40,000 unique enumeration events.

This pattern suggests attackers are building target lists before CVE details become widely available. Once proof-of-concept code circulates—which happens quickly for WordPress vulnerabilities—sites that haven't patched will face automated exploitation.

What Makes This Dangerous

WordPress admin access means complete site control. Attackers with administrator privileges can:

• Install malicious plugins or themes containing backdoors
• Modify site content to serve malware, redirects, or phishing pages
• Access database contents including user credentials and customer data
• Use the compromised server as infrastructure for further attacks
• Add persistent access mechanisms that survive plugin updates

The 100,000 active installations represent significant aggregate risk. WordPress powers roughly 40% of websites, and custom field plugins are popular among developers building complex sites. Many of these installations handle sensitive data or serve business-critical functions.

Patch Now

Site owners should update ACF Extended to version 0.9.2.2 immediately. The plugin update is available through the WordPress admin dashboard or by downloading directly from WordPress.org.

If you can't patch immediately, disable the plugin until the update can be applied. The vulnerability requires no authentication, so leaving vulnerable versions active exposes sites to trivial compromise.

After patching, audit your user accounts for unexpected administrators. If attackers exploited the vulnerability before you updated, they may have created backdoor accounts. Check recent user registrations and remove any accounts you don't recognize.

The Broader Pattern

WordPress plugin vulnerabilities follow a predictable cycle. Researchers discover flaws, developers release patches, and attackers exploit the gap between patch availability and adoption. Sites with delayed update schedules or abandoned plugins face the highest risk.

This particular vulnerability class—improper role validation in user creation—appears repeatedly across WordPress plugins. Developers assume client-side restrictions will be respected, but attackers send direct HTTP requests that bypass form validation entirely.

For organizations running WordPress at scale, consider implementing Web Application Firewall rules to block suspicious user registration patterns. Monitor for new administrator accounts and enable alerting when privileged users are created. And maintain an inventory of installed plugins so you can respond quickly when vulnerabilities like CVE-2025-14533 surface.