The Advanced Custom Fields: Extended plugin for WordPress contains a flaw that allows any user, even without authentication, to create a new user account with the administrator role. The flaw exists because the insert_user function does not enforce role restrictions when the value for the role field is supplied. If an attacker supplies the word "administrator" in the role field during a form submission, the plugin will create an account with full administrator privileges, providing complete control over the site.

All installations of the Advanced Custom Fields: Extended plugin up to and including version 0.9.2.1 are vulnerable. The vulnerability relies on the role field being mapped to a custom field in the form module. Sites that use this mapping and the affected plugin version are impacted; newer releases such as 0.9.2.2 and later are not affected.

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the issue is not listed in CISA's KEV catalog. The attack vector is web‑based: an unauthenticated user can submit the form that creates a new user. The flaw only works if the role mapping is enabled, which is common in default configurations. Once exploited, the attacker gains system‑wide administrative access, allowing modification of site content, plugins, users, and configuration.