Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form
wordt vertaald…Platform
wordpress
Component
acf-extended
Opgelost in
0.9.2
CVE-2025-13486 is a critical Remote Code Execution (RCE) vulnerability discovered in the Advanced Custom Fields: Extended plugin for WordPress. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, leading to complete system compromise. It impacts versions 0.9.0.5 through 0.9.1.1, and a fix is available in version 0.9.2.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw can gain complete control over the WordPress server hosting the affected website. This includes the ability to install malware, steal sensitive data (user credentials, database information, customer data), modify website content, and potentially pivot to other systems on the network. The prepareform() function's improper handling of user input, specifically passing it to calluserfuncarray(), creates the opportunity for arbitrary code execution. This is a high-risk scenario, similar to other RCE vulnerabilities in WordPress plugins that have led to widespread compromise.
Uitbuitingscontextwordt vertaald…
CVE-2025-13486 was publicly disclosed on December 2, 2025. While no active exploitation campaigns have been confirmed at the time of writing, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are expected to emerge, increasing the risk of widespread exploitation.
Wie Loopt Risicowordt vertaald…
Websites utilizing the Advanced Custom Fields: Extended plugin in versions 0.9.0.5 through 0.9.1.1 are at significant risk. Shared hosting environments are particularly vulnerable, as a compromise of one website can potentially impact others on the same server. WordPress installations with default or weak security configurations are also at higher risk.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'call_user_func_array' /var/www/html/wp-content/plugins/advanced-custom-fields-extended/• wordpress / composer / npm:
wp plugin list | grep 'advanced-custom-fields-extended'• wordpress / composer / npm:
wp plugin update advanced-custom-fields-extended• generic web: Check WordPress plugin directory for mentions of the vulnerability and potential exploit attempts. • generic web: Review WordPress access and error logs for suspicious activity related to the plugin.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
74.90% (99% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 100KBekend
- Plugin-beoordeling
- 4.8
- Vereist WordPress
- 4.9+
- Compatibel tot
- 7.0
- Vereist PHP
- 5.6+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation is to immediately upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests targeting the prepare_form() function with suspicious input. Thoroughly review WordPress user roles and permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting to trigger the vulnerable function with malicious input and verifying that it is properly sanitized.
Hoe te verhelpenwordt vertaald…
Update to version 0.9.2, or a newer patched version
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-13486 — RCE in Advanced Custom Fields: Extended?
CVE-2025-13486 is a critical Remote Code Execution vulnerability in the Advanced Custom Fields: Extended WordPress plugin, allowing attackers to execute arbitrary code on the server.
Am I affected by CVE-2025-13486 in Advanced Custom Fields: Extended?
You are affected if you are using Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1. Check your plugin version immediately.
How do I fix CVE-2025-13486 in Advanced Custom Fields: Extended?
Upgrade the Advanced Custom Fields: Extended plugin to version 0.9.2 or later to resolve the vulnerability. Disable the plugin if immediate upgrade is not possible.
Is CVE-2025-13486 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target. Monitor your systems closely.
Where can I find the official Advanced Custom Fields: Extended advisory for CVE-2025-13486?
Refer to the official Advanced Custom Fields: Extended plugin website and WordPress.org plugin repository for the latest advisory and updates.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.