Cybersecurity Vulnerabilities

Urgent: Critical Remote Code Execution Vulnerability in ACF Extended Plugin (CVE-2025-13486)

December 3, 2025 - By 

Overview

A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-13486, has been discovered in the Advanced Custom Fields: Extended plugin for WordPress. This vulnerability affects versions 0.9.0.5 through 0.9.1.1, allowing unauthenticated attackers to execute arbitrary code on the server. Immediate action is required to mitigate this risk.

Technical Details

The vulnerability resides in the prepare_form() function of the ACF Extended plugin. The function improperly handles user input, passing it directly to call_user_func_array(). This allows an attacker to inject malicious code through crafted requests, leading to Remote Code Execution. The lack of proper input sanitization and validation is the root cause of this security flaw. Because no authentication is required to trigger the vulnerable code, exploitation is trivial.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 9.8 (Critical). This high score reflects the severity of the risk, considering the ease of exploitation, the lack of required authentication, and the potential for complete system compromise.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences, including:

  • Complete System Compromise: Attackers can gain full control of the WordPress server.
  • Backdoor Injection: Attackers can inject backdoors to maintain persistent access.
  • Administrative Account Creation: Attackers can create new administrative user accounts for long-term control.
  • Data Theft: Sensitive data stored on the server can be stolen.
  • Website Defacement: The website can be defaced or used for malicious purposes.

Mitigation and Patch Steps

The recommended mitigation is to immediately update the Advanced Custom Fields: Extended plugin to the latest version. The vulnerability has been patched in versions greater than 0.9.1.1.

  1. Log in to your WordPress admin dashboard.
  2. Navigate to the “Plugins” section.
  3. Locate the “Advanced Custom Fields: Extended” plugin.
  4. Click the “Update Now” button. If the update isn’t visible, try clearing your WordPress cache and checking again.

If you are unable to update immediately, consider temporarily deactivating the plugin until the update can be applied. Regularly check for updates to WordPress plugins and themes to prevent similar vulnerabilities.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *