Remote Code Execution Vulnerability in Advanced Custom Fields Extended Plugin for WordPress
CVE-2025-13486

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Advanced Custom Fields: Extended
Vendor: CVE Published:; 3 December 2025

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 24%

What is CVE-2025-13486?

The Advanced Custom Fields: Extended plugin for WordPress contains a vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. This occurs due to improper validation within the prepare_form() function, which processes user input through call_user_func_array() without adequate safeguards. Exploiting this flaw can lead to severe consequences, such as the injection of backdoors or the creation of unauthorized administrative accounts.

Affected Version(s)

Advanced Custom Fields: Extended 0.9.0.5 <= 0.9.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13486
Created by MataKucing-OFC

CVE-2025-13486-POC
Created by 0xanis

cve-2025-13486-vuln-setup
Created by KrE80r

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3400134/acf-...

EPSS Score

24% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 4, 2025
👾
Exploit known to exist
Dec 4, 2025
Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 20, 2025

Credit

Marcin Dudek

JSON