A critical vulnerability in the Advanced Custom Fields: Extended WordPress plugin allows unauthenticated attackers to remotely gain administrative access to affected websites. The flaw exists in versions 0.9.2.1 and earlier and can lead to total site takeover if certain form configurations are present.

The security flaw, identified as CVE-2025-14533, impacts a popular developer tool currently active on approximately 100,000 websites. This specific vulnerability is found within the plugin’s user management form actions, specifically when a site uses the insert or update user features. Because the software fails to properly enforce role restrictions, an attacker can manipulate form fields to assign themselves the administrator role, bypassing any settings the site owner intended to have in place.

Security researchers at Wordfence highlight that this issue represents a significant risk because it enables complete site compromise. However, the exploit is not universal to every site using the plugin. It only poses a threat to installations that have actively configured a user-facing form that includes a role-selection field. In these specific scenarios, the lack of server-side validation allows the role to be set to any level regardless of the front-end limitations.

The timeline for this discovery began in December 2025 when a researcher reported the bug, leading to a swift patch by the developers just four days later. While version 0.9.2.2 resolves the issue, current download statistics suggest that roughly half of the plugin's user base may still be running vulnerable versions. This lag in updates creates a significant window of opportunity for malicious actors to target unpatched systems.

While there are no confirmed reports of attackers specifically targeting this vulnerability yet, broad scanning activity across the WordPress ecosystem is on the rise. Monitoring firms have observed nearly 1,000 unique IP addresses conducting large-scale reconnaissance to identify vulnerable plugins. This automated enumeration is a common precursor to active exploitation, as attackers build lists of potential targets before launching specific attacks.

Users are strongly encouraged to verify their plugin version and update to the latest release immediately to mitigate the risk of administrative takeover. Beyond patching, site administrators should audit any custom forms that handle user registration or profile updates to ensure they do not unintentionally expose sensitive role-mapping fields to public input. Keeping all plugins updated remains the most effective defense against the ongoing trend of large-scale automated scanning.

Source: ACF Plugin Bug Gives Hackers Admin Access On 50000 WordPress Sites