Platform
wordpress
Component
acf-extended
Fixed in
0.9.3
CVE-2025-14533 describes a Privilege Escalation vulnerability discovered in the Advanced Custom Fields: Extended plugin for WordPress. This flaw allows unauthenticated attackers to potentially gain administrator access to a WordPress site. The vulnerability affects versions from 0.0.0 through 0.9.2.1, and a fix is available in version 0.9.2.2.
The impact of this vulnerability is severe. An attacker can exploit it to bypass authentication and directly gain administrator privileges on the WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire server infrastructure. The requirement that 'role' is mapped to a custom field limits the exploitability, but if this configuration exists, the risk is substantial.
This vulnerability was publicly disclosed on 2026-01-20. While no public proof-of-concept (PoC) has been released, the ease of exploitation, combined with the plugin's popularity, makes it a likely target for malicious actors. The vulnerability has not yet been added to the CISA KEV catalog, but its critical severity warrants close monitoring. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration or restricting the roles that can be assigned during registration. Review your WordPress site's configuration to ensure that the 'role' custom field is not being used in user registration. Implement a Web Application Firewall (WAF) rule to block requests attempting to manipulate user roles during registration. After upgrading, verify the fix by attempting a user registration with an administrator role and confirming that it is rejected.
Update to version 0.9.2.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14533 is a critical vulnerability in the Advanced Custom Fields: Extended WordPress plugin that allows unauthenticated attackers to gain administrator access by exploiting a flaw in user registration role assignment.
You are affected if you are using Advanced Custom Fields: Extended versions 0.0.0 through 0.9.2.1 and have the 'role' custom field mapped to user registration.
Upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2.2 or later. If immediate upgrade is not possible, temporarily disable user registration or restrict roles during registration.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation make it a likely target for malicious actors.
Refer to the official Advanced Custom Fields Extended plugin documentation and WordPress security announcements for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.