A critical vulnerability has been discovered in the popular WordPress plugin Advanced Custom Fields: Extended (ACF Extended), which is used on more than 100,000 websites.
The flaw, tracked as CVE-2025-14533, allows attackers to gain full administrator access without logging in. It affects ACF Extended version 0.9.2.1 and earlier and can be exploited through the plugin’s “Insert User / Update User” form feature.
The problem happens because the plugin does not properly restrict user roles when creating or updating users through forms. Even if a site owner sets limits, attackers can still change their role to “administrator.” Wordfence explained that the role field can be manipulated to assign any role, including admin, leading to a complete site takeover. However, the attack only works on sites that use user-creation or update forms with a role field enabled.
The issue was discovered by security researcher Andrea Bocchetti on December 10, 2025, and fixed four days later in version 0.9.2.2. Since then, about 50,000 sites have updated, but that means nearly the same number may still be vulnerable. So far, no real-world attacks using this exact flaw have been confirmed.
At the same time, threat monitoring firm GreyNoise reports massive scanning activity targeting WordPress plugins. From late October 2025 to mid-January 2026, nearly 1,000 IP addresses checked over 40,000 sites for weaknesses in more than 700 plugins. The most targeted plugins include Post SMTP, Loginizer, LiteSpeed Cache, Rank Math SEO, Elementor, and Duplicator.
WordPress site owners are strongly advised to update all plugins immediately, especially ACF Extended, to avoid becoming the next victim.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
