Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced Custom Fields: Extended plugin for WordPress contains a validation bypass that allows an attacker to force the plugin to discard role validation errors, enabling the creation of a new administrator-level user account without any authentication. By sending a crafted POST request containing the _acf_post_id parameter, the plugin’s after_validate_save_post() routine ignores all validation checks added by acfe_field_user_roles and acfe_module_form_action_user, causing wp_insert_user() to execute with an attacker‑supplied administrator role. This results in unrestricted account takeover and full administrative privileges on the affected site.

Affected Systems

All versions of the Advanced Custom Fields: Extended plugin up to and including 0.9.2.5 are vulnerable. No other vendors or products are identified; the issue affects only this WordPress plugin.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as Critical, and the absence of an EPSS score indicates that the exploitability has not been formally quantified. The plugin must be publicly accessible with a frontend form configured for user creation and role mapping to trigger the flaw, making the attack vector a typical unauthenticated HTTP POST request. Although not yet listed in CISA’s KEV catalog, the high rating and straightforward exploitation path suggest that attackers could discover and exploit this vulnerability quickly if no mitigation is applied.

Generated by OpenCVE AI on May 28, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Custom Fields: Extended plugin to a version newer than 0.9.2.5, or apply the vendor’s security fix if a patch is provided for versions up to 0.9.2.5.
  • Remove or restrict public access to any ACFE frontend forms that enable user creation, or disable the Create User action for non‑privileged roles.
  • Audit the site for any unauthorized administrator accounts that may have been created and remove them; also review role assignments to ensure no excess privileges remain.

Generated by OpenCVE AI on May 28, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
Title Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:08:09.995Z

Reserved: 2026-05-18T06:34:31.899Z

Link: CVE-2026-8809

cve-icon Vulnrichment

Updated: 2026-05-29T10:08:04.774Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T23:16:44.760

Modified: 2026-05-29T02:40:08.093

Link: CVE-2026-8809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:30:26Z

Weaknesses