A critical security vulnerability has been disclosed in the Advanced Custom Fields: Extended plugin for WordPress, exposing up to 100,000 installations to full site compromise. The flaw allows unauthenticated attackers to register accounts with administrator privileges, granting complete control over affected websites.
Rated 9.8 on the CVSS severity scale, the issue represents one of the most serious categories of WordPress plugin vulnerabilities due to the absence of authentication requirements and the level of access attackers can obtain.
Widely used ACF add-on affected
Advanced Custom Fields: Extended is an add-on for Advanced Custom Fields Pro, commonly used by developers and site owners to manage complex custom fields, front-end forms, custom post types, and administrative workflows. The plugin is frequently deployed on sites that rely on user-facing forms and advanced content management features.
Because of its broad adoption and integration into front-end functionality, the vulnerability carries elevated risk when misconfigured forms are exposed publicly.
How the vulnerability is exploited
The flaw is a privilege escalation issue caused by missing server-side role restrictions during user registration. A function responsible for creating new users does not enforce limitations on which WordPress roles can be assigned.
When a site uses a front-end form that maps a custom field directly to the WordPress user role field, an attacker can manipulate the form submission to assign themselves the administrator role. The plugin fails to verify whether the submitted role matches the allowed options defined by the site owner.
This weakness stems from reliance on front-end controls to restrict role selection, without validating submitted values on the server. An attacker can intercept the registration request and replace an expected role value, such as “subscriber,” with “administrator,” bypassing WordPress’s native safeguards.
Impact of successful exploitation
If exploited, the attacker gains administrator-level access, enabling complete takeover of the site. This level of control allows malicious actors to:
-
Install or modify plugins and themes
-
Inject malicious code or backdoors
-
Create additional administrator accounts
-
Access or alter sensitive site data
-
Redirect visitors or distribute malware
Security researchers have reported active exploitation attempts targeting the vulnerability, increasing the urgency for remediation.
Conditions required for exposure
The vulnerability is not automatically exploitable on every installation. Exploitation requires that:
-
The plugin is active on the site
-
A front-end form created with the plugin is publicly accessible
-
The form maps a custom field directly to the WordPress user role field
Sites meeting these conditions face immediate risk.
Patch available and recommended action
The issue affects all plugin versions up to and including 0.9.2.1. It has been addressed in version 0.9.2.2, which introduces stricter validation of front-end form fields and additional safeguards around user role assignment.
Site owners are strongly advised to update to the latest version immediately. If updating is not possible, disabling the plugin until the patch can be applied is the only effective mitigation.
Given the severity of the vulnerability and the lack of authentication barriers, delaying action leaves affected WordPress sites vulnerable to complete compromise.
