Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form
अनुवाद हो रहा है…प्लेटफ़ॉर्म
wordpress
घटक
acf-extended
में ठीक किया गया
0.9.2
CVE-2025-13486 is a critical Remote Code Execution (RCE) vulnerability discovered in the Advanced Custom Fields: Extended plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, leading to complete system compromise. It impacts versions 0.9.0.5 through 0.9.1.1, and a fix is available in version 0.9.2.
इस CVE को अपने प्रोजेक्ट में पहचानें
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw can gain complete control over the WordPress server hosting the affected website. This includes the ability to install malware, steal sensitive data (user credentials, database information, customer data), modify website content, and potentially pivot to other systems on the network. The prepareform() function's improper handling of user input, specifically passing it to calluserfuncarray(), creates the opportunity for arbitrary code execution. This is a high-risk scenario, similar to other RCE vulnerabilities in WordPress plugins that have led to widespread compromise.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2025-13486 was publicly disclosed on December 2, 2025. While no active exploitation campaigns have been confirmed at the time of writing, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge, increasing the risk of widespread exploitation.
कौन जोखिम में हैअनुवाद हो रहा है…
Websites utilizing the Advanced Custom Fields: Extended plugin in versions 0.9.0.5 through 0.9.1.1 are at significant risk. Shared hosting environments are particularly vulnerable, as a compromise of one website can potentially impact others on the same server. WordPress installations with default or weak security configurations are also at higher risk.
पहचान के चरणअनुवाद हो रहा है…
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-custom-fields-extended/• wordpress / composer / npm:
wp plugin list | grep 'advanced-custom-fields-extended'• wordpress / composer / npm:
wp plugin update advanced-custom-fields-extended• generic web: Check WordPress plugin directory for mentions of the vulnerability and potential exploit attempts. • generic web: Review WordPress access and error logs for suspicious activity related to the plugin.
हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
74.90% (99% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- कोई नहीं — बिना प्रमाणीकरण के शोषण योग्य।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- उच्च — पूर्ण क्रैश या संसाधन समाप्ति। पूर्ण सेवा से इनकार।
प्रभावित सॉफ्टवेयर
पैकेज जानकारी
- सक्रिय इंस्टॉलेशन
- 100Kज्ञात
- प्लगइन रेटिंग
- 4.8
- WordPress आवश्यक
- 4.9+
- संगत संस्करण तक
- 7.0
- PHP आवश्यक
- 5.6+
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation is to immediately upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests targeting the prepare_form() function with suspicious input. Thoroughly review WordPress user roles and permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting to trigger the vulnerable function with malicious input and verifying that it is properly sanitized.
कैसे ठीक करेंअनुवाद हो रहा है…
Update to version 0.9.2, or a newer patched version
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-13486 — RCE in Advanced Custom Fields: Extended?
CVE-2025-13486 is a critical Remote Code Execution vulnerability in the Advanced Custom Fields: Extended WordPress plugin, allowing attackers to execute arbitrary code on the server.
Am I affected by CVE-2025-13486 in Advanced Custom Fields: Extended?
You are affected if you are using Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1. Check your plugin version immediately.
How do I fix CVE-2025-13486 in Advanced Custom Fields: Extended?
Upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later to resolve the vulnerability. Disable the plugin if immediate upgrade is not possible.
Is CVE-2025-13486 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target. Monitor your systems closely.
Where can I find the official Advanced Custom Fields: Extended advisory for CVE-2025-13486?
Refer to the official Advanced Custom Fields: Extended plugin website and WordPress.org plugin repository for the latest advisory and updates.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।