Skip to main content

Critical Security Flaw Found in WordPress ACF Extended Plugin

Security Flaw Found in WordPress ACF Extended Plugin


A newly disclosed security issue in the Advanced Custom Fields: Extended plugin has placed as many as 100,000 WordPress websites at serious risk, allowing attackers to take full control of affected sites without needing to log in.

The vulnerability carries a critical severity score of 9.8 and enables attackers to create administrator accounts on vulnerable sites, effectively handing over complete ownership of the WordPress installation.


What Is Advanced Custom Fields: Extended?

Advanced Custom Fields: Extended (often called ACF Extended) is an enhancement plugin built to work alongside Advanced Custom Fields Pro. It’s widely used by developers and site owners to add advanced functionality such as:

  • Front-end user forms

  • Custom options pages

  • Custom post types and taxonomies

  • Enhanced admin dashboard customization

  • More flexible content management workflows

Because of its flexibility and ease of use, the plugin has gained broad adoption, especially on sites that rely on front-end interactions and user-generated content.


Why This Vulnerability Is So Dangerous

What makes this flaw particularly severe is that no authentication is required to exploit it. An attacker does not need a username, password, or any prior access to the site.

As long as the vulnerable plugin version is installed and configured in a specific way, anyone on the internet can attempt to abuse it. This dramatically lowers the barrier to exploitation and increases the likelihood of automated attacks.


How the Privilege Escalation Works

At the core of the issue is a missing role restriction during user registration.

The plugin includes a function responsible for creating new users from front-end forms. However, this function fails to enforce limits on which WordPress roles can be assigned during registration.

Under normal circumstances, WordPress tightly controls role assignment to prevent users from granting themselves elevated permissions. In this case, that safeguard was bypassed.

If a front-end form was configured to map a field directly to the WordPress user role, the plugin would accept whatever role value was submitted, without verifying whether it was allowed.


Breakdown of the Technical Weakness

The vulnerability stems from insufficient server-side validation. While the form’s interface might only display safe options (such as “Subscriber”), the backend failed to verify that the submitted value matched those permitted choices.

An attacker could:

  1. Inspect the front-end form’s HTML

  2. Identify the field responsible for user roles

  3. Intercept the form submission

  4. Modify the request to assign administrator instead of a low-privilege role

Because the plugin trusted the submitted value, WordPress would then create a new administrator account for the attacker.

What Changed in the Patch

The plugin developers addressed the issue by strengthening validation logic and adding explicit protections around role selection.

According to the changelog, the fixes include:

  • Enforcing strict validation against predefined field choices

  • Adding additional security checks when forms allow role selection

  • Introducing hooks for validating individual fields on submission

  • Allowing controlled bypasses only when explicitly configured

These changes ensure that user-submitted values can no longer override intended role restrictions.


What Attackers Can Do With This Access

If exploited successfully, attackers gain administrator-level control, which allows them to:

  • Install or alter plugins and themes

  • Inject malicious scripts or backdoors

  • Create additional hidden admin accounts

  • Steal or manipulate database content

  • Redirect traffic or distribute malware

At this level, the site is considered fully compromised.

Security researchers have already reported active exploitation attempts, indicating that attackers are scanning for vulnerable installations.


When Is a Site Actually Vulnerable?

Not every site using the plugin is automatically exposed. Exploitation is only possible if all of the following conditions are met:

  • The plugin is installed on the site

  • A front-end form created by the plugin is in use

  • That form maps a custom field directly to the WordPress user role

Sites without this configuration are not directly affected, though updating is still strongly recommended.


Affected Versions and Recommended Action

The vulnerability impacts all versions up to and including 0.9.2.1. The issue has been fixed in version 0.9.2.2.

Site owners should take immediate action:

  • Update the plugin to the latest version without delay

  • If updating is not possible, disable the plugin temporarily

Given the critical severity and the lack of authentication required to exploit the flaw, postponing remediation leaves sites open to a complete takeover.

Comments

New comments are not allowed.