Plattform
wordpress
Komponente
acf-extended
Behoben in
0.9.3
CVE-2025-14533 describes a Privilege Escalation vulnerability discovered in the Advanced Custom Fields: Extended plugin for WordPress. This flaw allows unauthenticated attackers to potentially gain administrator access to a WordPress site. The vulnerability affects versions from 0.0.0 through 0.9.2.1, and a fix is available in version 0.9.2.2.
The impact of this vulnerability is severe. An attacker can exploit it to bypass authentication and directly gain administrator privileges on the WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire server infrastructure. The requirement that 'role' is mapped to a custom field limits the exploitability, but if this configuration exists, the risk is substantial.
This vulnerability was publicly disclosed on 2026-01-20. While no public proof-of-concept (PoC) has been released, the ease of exploitation, combined with the plugin's popularity, makes it a likely target for malicious actors. The vulnerability has not yet been added to the CISA KEV catalog, but its critical severity warrants close monitoring. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
WordPress sites using the Advanced Custom Fields: Extended plugin, particularly those with custom fields configured to manage user roles during registration, are at significant risk. Shared hosting environments where plugin updates are not managed by the user are also particularly vulnerable.
• wordpress / composer / npm:
wp plugin list --status=active | grep 'Advanced Custom Fields: Extended'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep 'Advanced Custom Fields: Extended'• wordpress / composer / npm:
wp option get registration_role• wordpress / composer / npm:
wp user create --role administrator --url=your_wordpress_urldisclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or restricting the roles that can be assigned during registration. Review your WordPress site's configuration to ensure that the 'role' custom field is not being used in user registration. Implement a Web Application Firewall (WAF) rule to block requests attempting to manipulate user roles during registration. After upgrading, verify the fix by attempting a user registration with an administrator role and confirming that it is rejected.
Update to version 0.9.2.2, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14533 is a critical vulnerability in the Advanced Custom Fields: Extended WordPress plugin that allows unauthenticated attackers to gain administrator access by exploiting a flaw in user registration role assignment.
You are affected if you are using Advanced Custom Fields: Extended versions 0.0.0 through 0.9.2.1 and have the 'role' custom field mapped to user registration.
Upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2.2 or later. If immediate upgrade is not possible, temporarily disable user registration or restrict roles during registration.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation make it a likely target for malicious actors.
Refer to the official Advanced Custom Fields Extended plugin documentation and WordPress security announcements for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.