21.01.2026
2 min
399
A serious vulnerability has been identified in the well known WordPress plugin, Advanced Custom Fields: Extended (ACF Extended), which permits an unauthenticated attacker to achieve full administrative access to a website. Approximately fifty thousand websites may be at risk until those websites apply the security patch.
The issue was documented as CVE-2025-14533 and is due to a lack of proper role enforcement in the Insert User / Update User form actions within the ACF Extended plugin. Attackers could create users with the administrator role regardless of the configuration of roles set in the form settings using a lack of validation.
Wordfence indicated that this vulnerability will allow for exploitation any time a website uses a publically available user creation or update form with a role mapping field. When this occurs, it enables the attackers to completely take over the website, potentially installing malware, creating backdoor accounts or manipulating the content of the website without requiring any authentication.
It is estimated that approximately one hundred thousand WordPress sites utilize ACF Extended, and it is commonly used by developers to enable advanced content customization. On December 10th, 2025, security researcher Andrea Bocchetti discovered the vulnerability and promptly reported it through Wordfence. Four days after the initial report, a patched version (0.9.2.2) was made available.
However, download statistics indicate that nearly half of the current installations have yet to apply the latest patches and are therefore vulnerable. In addition to the vulnerabilities, GreyNoise also noted a significant amount of WordPress plugin enumeration, which would likely be reconnaissance before attempting to exploit this vulnerability.
Although there has been no reported exploitation of CVE-2025-14533, the risk of such an occurrence is high. All WordPress Administrators should immediately update their ACF Extended plugin, review all user accounts for suspicious activities and remove any publicly accessible user management interfaces. This vulnerability serves as a prime example of how poorly managed user-managed features of a plugin can serve as a major attack vector.
