Description
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Advanced Custom Fields: Extended WordPress plugin, where insecure handling of user input in the form module allows an unauthenticated attacker to execute arbitrary shortcodes. Shortcodes can inject and run code that may perform malicious actions, such as data exfiltration, further code execution, or site defacement. This flaw falls under CWE-94, reflecting the lack of proper validation before invoking the do_shortcode function.

Affected Systems

WordPress sites that have the Advanced Custom Fields: Extended plugin installed at any version up to and including 0.9.2.3 are affected. The vulnerability applies to all releases of the plugin prior to 0.9.2.4, regardless of other theme or plugin configurations.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score is not available, which suggests limited data on exploitation likelihood. The plugin is not listed in the CISA KEV catalog, so no known widespread exploitation is reported at this time. Because the flaw can be triggered by any unauthenticated web request that processes a form submission, an attacker with internet access to the site could directly exploit the issue by crafting a form payload containing malicious shortcodes. No special privileges or authenticated access are required for exploitation.

Generated by OpenCVE AI on May 12, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Advanced Custom Fields: Extended to the latest version, ensuring all releases beyond 0.9.2.3 are installed
  • Remove or disable any custom shortcodes that interface directly with the plugin’s form processing function if they are not essential
  • Validate or sanitize all shortcode inputs on the front end and within the plugin’s code to prevent execution of unintended code

Generated by OpenCVE AI on May 12, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T00:17:55.890Z

Reserved: 2026-01-05T13:03:31.231Z

Link: CVE-2025-15463

cve-icon Vulnrichment

Updated: 2026-05-13T00:17:51.570Z

cve-icon NVD

Status : Received

Published: 2026-05-12T23:16:15.883

Modified: 2026-05-12T23:16:15.883

Link: CVE-2025-15463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses