Privilege Escalation Vulnerability in Advanced Custom Fields: Extended Plugin for WordPress
CVE-2026-8809

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Advanced Custom Fields: Extended
Vendor: CVE Published:; 28 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8809?

The Advanced Custom Fields: Extended plugin for WordPress is susceptible to a privilege escalation vulnerability due to a validation bypass in the after_validate_save_post() function. This function improperly trusts the attacker-controlled _acf_post_id POST parameter, which allows unauthorized users to bypass crucial validation checks. As a result, attackers can suppress validation errors related to user role permissions, enabling them to create new administrator-level accounts without proper authentication. This exploit is particularly critical when a public ACFE frontend form is configured with a Create User action that maps a role field, putting many WordPress sites at risk.

Affected Version(s)

Advanced Custom Fields: Extended 0 <= 0.9.2.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-8809
Created by izxci

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/acf-extended/t...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 12, 2026
👾
Exploit known to exist
Jun 12, 2026
Vulnerability published
May 28, 2026
Vulnerability Reserved
May 18, 2026

Credit

daroo

CVE-2026-8809 Data

JSON