- Critical bug in ACF: Extended WordPress plugin allows arbitrary role escalation to admin
- About 50,000 WordPress sites are vulnerable despite patch in version 0.9.2.2
- No exploits have been reported yet, but attackers are likely to investigate vulnerable sites soon
About 50,000 WordPress sites are currently at risk of a site-wide takeover due to a critical vulnerability recently discovered in a popular plugin.
In mid-December 2025, Wordfence was notified by security researcher Andrea Bocchetti of a vulnerability in Advanced Custom Fields: Extended, a plugin that adds more features to the Advanced Custom Fields (ACF) plugin.
ACF also lets users add custom fields to posts and pages, and is currently actively used by around 100,000 WordPress sites.
How to stay safe
Bocchetti said the bug stems from role restrictions not being properly enforced during forms-based user creation or updates.
“In the vulnerable version, there are no restrictions on form fields, so the user’s role can be set arbitrarily, even to ‘administrator’, regardless of the field settings, if a role field is added to the form,” Wordfence explained in its advisory.
“As with any privilege escalation vulnerability, this can be used to completely compromise the site.”
In other words, any unauthorized user can set themselves up as administrators of a WordPress site and essentially take over the site.
The vulnerability was discovered in version 0.9.2.1 and earlier and is now tracked as CVE-2025-14533. It received a difficulty rating of 9.8/10 (Critical).
The silver lining is that it cannot be easily exploited. The sites must use the “Create User” or “Update User” form with a role field mapped.
The bug was fixed in version 0.9.2.2. According to WordPress’ official statistics, approximately 50,000 websites have already updated to the latest version, leaving roughly the same number of them still vulnerable.
At press time, there was no evidence of the flaw being exploited in the wild, but now that the news is out there, it’s safe to assume that cybercriminals will at least start probing for vulnerabilities.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
