Plateforme
wordpress
Composant
acf-extended
Corrigé dans
0.9.2
CVE-2025-13486 is a critical Remote Code Execution (RCE) vulnerability discovered in the Advanced Custom Fields: Extended plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, leading to complete system compromise. It impacts versions 0.9.0.5 through 0.9.1.1, and a fix is available in version 0.9.2.
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw can gain complete control over the WordPress server hosting the affected website. This includes the ability to install malware, steal sensitive data (user credentials, database information, customer data), modify website content, and potentially pivot to other systems on the network. The prepareform() function's improper handling of user input, specifically passing it to calluserfuncarray(), creates the opportunity for arbitrary code execution. This is a high-risk scenario, similar to other RCE vulnerabilities in WordPress plugins that have led to widespread compromise.
CVE-2025-13486 was publicly disclosed on December 2, 2025. While no active exploitation campaigns have been confirmed at the time of writing, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge, increasing the risk of widespread exploitation.
Websites utilizing the Advanced Custom Fields: Extended plugin in versions 0.9.0.5 through 0.9.1.1 are at significant risk. Shared hosting environments are particularly vulnerable, as a compromise of one website can potentially impact others on the same server. WordPress installations with default or weak security configurations are also at higher risk.
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-custom-fields-extended/• wordpress / composer / npm:
wp plugin list | grep 'advanced-custom-fields-extended'• wordpress / composer / npm:
wp plugin update advanced-custom-fields-extended• generic web: Check WordPress plugin directory for mentions of the vulnerability and potential exploit attempts. • generic web: Review WordPress access and error logs for suspicious activity related to the plugin.
disclosure
Statut de l'Exploit
EPSS
74.90% (percentile 99%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests targeting the prepare_form() function with suspicious input. Thoroughly review WordPress user roles and permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting to trigger the vulnerable function with malicious input and verifying that it is properly sanitized.
Update to version 0.9.2, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13486 is a critical Remote Code Execution vulnerability in the Advanced Custom Fields: Extended WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1. Check your plugin version immediately.
Upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later to resolve the vulnerability. Disable the plugin if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target. Monitor your systems closely.
Refer to the official Advanced Custom Fields: Extended plugin website and WordPress.org plugin repository for the latest advisory and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.