—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Privilege Escalation vulnerability in the Advanced Custom Fields: Extended plugin for WordPress 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Extended plugin for WordPress (versions up to 0.9.2.1)

Overview

A vulnerability has been reported in Extended plugin for WordPress, which could allow an unauthenticated attacker to gain elevated privileges on the targeted system.

Target Audience:

Users and administrators of websites using the affected versions of the Extended plugin for WordPress.

Risk Audience:

High risk of unauthenticated attackers gaining elevated privileges, potentially leading to data exposure and service disruption.

Impact Assessment:

Potential for complete compromise of the affected WordPress website, including unauthorized administrator access, malicious modification of content or settings, data theft, and disruption of website services.

Description

Extended plugin for WordPress is an add-on (commonly ACF Extended) that enhances WordPress functionality by extending Advanced Custom Fields with additional field types, forms, and developer tools for building custom content and user experiences.

A vulnerability exists in the plugin due to the insert_user function not restricting the roles with which a user can register. This makes it possible for attackers to supply the administrator role during registration and gain administrator access to the site.

Successful exploitation of this vulnerability may allow an unauthenticated attacker to gain elevated privileges on the targeted system.

Solution

Apply appropriate software updates as mentioned in below security advisory:

https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/

Vendor Information

wordpress

https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/

References

wordpress

https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/

CVE Name

CVE-2025-14533

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAml4ri8ACgkQ3jCgcSdc

ys+o5w//ZFM5LeJT7WqvE+2K25VP9BXyzIjAmNyej7+wfNDDqLe4nLy+Qrs7Ldsb

ePrQw7NQtPezZAl5jJDWuo5NSJw0urio2zp13+Cubn+ZqUVuxRulOz7bdWtZ1kKg

wqg7MKWOQDzsveCeYeLkXPmzJc2z68iQdSAIEQBR2rlJddxInMoT80n0aCjjNnxy

6jptyCRuVfN3x42tCPCHHZOcJe8X+ZQsD+Eb5Hzrl2VDlw9ENfLXkfkrY+AyiLuX

damgXn2qOXQBbwplP6e4Le3CFbjeE0Dmy0ha/ShI92XfUQ5L+Vl/n03xWtViEakr

UJjX94JkxC/i49LuJHUAPCAnHvBWcTLePY+mqG6611HmdXgqCZ96JPpKoTQ47A6v

6pcvs3G4tdGbNVJEyK1CY2FVAgnVZiF+m7Lt+OjWQK6aRe++ABZvbC+agCgBz5wB

ngn11eWVJjBMh+WkAyQvSZKbY5iRCc3C9tE35KmJXB/j7VFU9o4B61z43tJkvFF+

88PArBGho+3pA9A13fcU8ONQCoo+1J7qwYBCih1XkDZfLX5AiT5M/3yzY7f0cQpA

w84wpLPgvMrGylEOUPgSaG892woY757dfjtny1fi0TBAd7VmgRe/w4evrYo65Io5

SaIofnLnVwoxeKGbnwvCZCUbHddFjCUyee/s3QwEPRJxmNAJJdI=

=P+te

—–END PGP SIGNATURE—–