Privilege Escalation Vulnerability in Advanced Custom Fields: Extended Plugin for WordPress
CVE-2025-14533
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 20 January 2026
Badges
What is CVE-2025-14533?
CVE-2025-14533 is a critical privilege escalation vulnerability found in the Advanced Custom Fields: Extended plugin for WordPress. This plugin is designed to enhance the functionality of custom fields within WordPress, enabling users to create tailored and complex content management systems. The vulnerability arises from a flaw in the 'insert_user' function, which fails to properly restrict user roles during registration. This oversight allows unauthenticated attackers to manipulate the registration process and assign themselves the 'administrator' role. This unauthorized access can lead to a complete takeover of the WordPress site, posing serious security threats to organizations relying on this plugin for their online presence. The potential for exploitation is significant, particularly if the vulnerable custom field is mapped to the registration process, enabling a straightforward method for attackers to escalate privileges without needing prior access or authentication.
Potential impact of CVE-2025-14533
-
Unauthorized Administrative Access: The primary impact of this vulnerability is that it allows attackers to gain administrative privileges without any form of authentication. This level of access can lead to unauthorized modifications to site content, user data, and critical settings.
-
Data Compromise: Once an attacker gains administrative rights, they can access sensitive information stored within the WordPress site. This may include user data, payment information, and proprietary content, leading to data breaches that could have legal and financial repercussions for organizations.
-
Malware Deployment: With full administrative control, attackers can install malicious plugins or execute scripts that could further compromise the site. This can lead to the installation of ransomware or other malware, which can be used to extort the organization or disrupt business operations.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Advanced Custom Fields: Extended * <= 0.9.2.1
News Articles
RS Web SolutionsCVE-2025-14533ACF Plugin Vulnerability Exposes 50,000 WordPress Sites to Hackers
Critical ACF plugin flaw exposes 50,000 WordPress sites to hackers gaining full admin access - discover how to protect your website now.
6 days ago
The420.inCVE-2025-14533CVE-2025-14533: Critical WordPress Plugin Lapse Puts Over 100,000 Sites at Risk
A critical flaw in the ACF Extended WordPress plugin could give hackers full admin access to over 100,000 sites, prompting urgent patch warnings.
6 days ago
ACF plugin bug gives hackers admin on 50,000 WordPress sites
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions.
6 days ago
References
CVSS V3.1
Timeline
- πΎ
Exploit known to exist
- π°
First article discovered by Cyber Security News
Vulnerability published
Vulnerability Reserved