A newly identified security flaw in the popular Advanced Custom Fields: Extended WordPress plugin has raised serious concerns, as more than 100,000 websites face the risk of complete compromise if the issue is not fixed promptly.
The vulnerability, tracked as CVE-2025-14533, affects all plugin versions up to and including 0.9.2.1. It carries a CVSS score of 9.8, placing it in the critical category. Security researchers warned that the flaw allows an unauthenticated attacker to gain administrator-level access, giving them full control over a vulnerable website.
The root cause of the issue lies in weak role validation. The plugin enables website owners to create custom user registration and profile forms without coding. These forms collect data such as usernames, email addresses, passwords, and user roles.
Under standard WordPress security rules, role assignment during registration is strictly controlled. However, analysts found that affected versions of the plugin fail to enforce these restrictions properly. Researchers from a security firm, who identified the flaw through a bug bounty submission credited to Andrea Bocchetti, revealed that the plugin’s insert_user form action does not adequately limit role values when exposed on public-facing forms.
This gap allows attackers to submit a crafted HTTP request that assigns the administrator role directly. Even if the form interface appears restricted, the backend does not validate the input. The plugin then passes this data to WordPress’ wp_insert_user() function, resulting in the creation of a full administrator account without authentication, password guessing, or user interaction.
Security experts described the vulnerability as low effort but high impact. Once admin access is obtained, attackers can install malicious plugins or themes, modify content, redirect users to phishing or malware pages, inject spam or SEO manipulation code, and create additional admin accounts to retain control.
The issue impacts Advanced Custom Fields: Extended versions 0.9.2.1 and earlier. The developer has fixed the flaw in version 0.9.2.2 by adding strict server-side role validation. Website owners have been urged to update immediately. While some security vendors have added firewall protections, experts cautioned that delayed updates leave sites exposed.
Exploitation is only possible if a site hosts a publicly accessible form that maps a user role field to account creation or updates. Even so, professionals recommend updating all installations to remove hidden risks.
The disclosure highlights ongoing risks tied to plugin-based user management in WordPress, reinforcing the need for regular audits, timely updates, and layered security controls.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
