ACF Plugin Bug Gives Hackers Admin on 50,000 WordPress Sites

ACF plugin bug gives hackers admin on 50,000 WordPress sites

A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions.

ACF Plugin Bug Gives Hackers Admin On 50,000 WordPress Sites - Cybernoz - Cybersecurity News

A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. ACF Extended, currently active on 100,000 websites, is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders. The vulnerability, tracked as CVE-2025-1…

Critical WordPress Plugin Vulnerability Exposes 100,000+ Websites to Privilege Escalation Attacks

A critical privilege escalation vulnerability discovered in the Advanced Custom Fields: Extended WordPress plugin threatens over 100,000 active installations. The vulnerability, identified as CVE-2025-14533 with a CVSS score of 9.8, allows unauthenticated attackers to elevate their privileges to administrative by exploiting a misconfigured user registration form. The Advanced Custom Fields: Extended plugin, an addon for […] The post Critical Wor…

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin

On December 10th, 2025, we received a submission for a Privilege Escalation vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000+ active installations. This vulnerability makes it …