A serious vulnerability in the ACF Extended WordPress plugin allows attackers to gain admin access without authentication. This flaw has affected numerous websites and highlights the importance of timely plugin updates. #CVE-2025-14533 #WordPressSecurity
Keypoints
- A critical security flaw in the ACF Extended plugin enables remote privilege escalation.
- Over 100,000 websites use the vulnerable ACF Extended plugin, increasing attack exposure.
- The vulnerability involves the βInsert User / Update Userβ form, which lacks role restrictions.
- Exploitation can lead to full site compromise, especially if a role field is used in user forms.
- Although no attacks have been observed yet, large-scale reconnaissance activity has been detected.