A critical severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited by unauthenticated attackers remotely to gain administrative permissions.
ACF Extended is a specialized plugin for developers and advanced site builders that extends the Advanced Custom Fields plugin, and currently sits active on 100,000 websites.
Tracked as CVE-2025-14533, the vulnerability allows for such admin privileges by leveraging its 'Insert User / Update User' form action to abuse it in ACF Extended versions 0.9.2.1 and below.
The vulnerability occurs because role restrictions are not enforced during form based user creation or updates, and the exploit succeeds even where role restrictions are correctly set up in the field settings.
"In the vulnerable version, there are no restrictions for form fields, which means a user's role can be set arbitrarily to even 'administrator' independently of field settings, if there is a role field added to the form," Wordfence explains.
"As with any privilege escalation vulnerability, this can be used for complete site compromise," they warn.
Though this outcome of taking advantage of this vulnerability is dire, it is vital to note that, according to Wordfence, this vulnerability can only happen on sites that implement a ‘Create User’ or ‘Update User’ form that has a role field mapped.
CVE-2025-14533 vulnerability was first found by security researcher Andrea Bocchetti, who, on the 10th of December, 2025, reported this problem to Wordfence to test the vulnerability and raise the concern to the respective vendor.
The vendor solved this problem four days later by releasing version 0.9.2.2 in ACF Extended.
According to the statistics obtained by checking the Wordpress website for the plugin downloads in the last few months, it appears the plugin installation base comprises approximately 50,000 users who downloaded the plugin since then. This would mean an equal number is vulnerable to potential threats since all would be using the most recent version of the software by assumption.
WordPress plugin enumeration activity
Even though no incidents targeting CVE-2025-14533 have been reported so far, an investigation by threat research organization GreyNoise found WordPress plugin reconnaissance scans on an extensive scale, searching for potentially vulnerable sites.
According to GreyNoise, in the period between late October 2025 and mid January 2026, almost 1,000 IPs, distributed in 145 ASNs, scanned 706 different WordPress plugins in more than 40,000 unique enumeration attempts.
The top targeted plugins are Post SMTP, Loginizer, LiteSpeed Cache, SEO by Rank Math, Elementor, and Duplicator.
The active exploitation of the 'Post SMTP' flaw 'CVE-2025-11833' was observed as early as November 2025 by Wordfence. GreyNoise reports indicate that this flaw was being targeted with 91 different IPs.
The next vulnerability that GreyNoise recommended admins address is CVE-2024-28000, affecting LiteSpeed Cache and marked as actively exploited by Wordfence as of August 2024.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
