[ad_1]
- Important bug in ACF: Prolonged WordPress plugin permits arbitrary position escalation to administrator
- About 50,000 WordPress websites are susceptible regardless of patch in model 0.9.2.2
- No exploitation reported but, however attackers prone to probe uncovered websites quickly
Round 50,000 WordPress web sites are at the moment prone to full website takeover, because of a critical-severity vulnerability that was not too long ago found in a well-liked plugin.
In mid-December 2025, Wordfence was notified by safety researcher Andrea Bocchetti of a vulnerability in Superior Customized Fields: Prolonged, a plugin which provides extra options to the Superior Customized Fields (ACF) plugin.
ACF additionally lets customers add customized fields to posts and pages, and it’s at the moment being actively utilized by round 100,000 WordPress web sites.
keep protected
Bocchetti mentioned that the bug stems from position restrictions not being enforced correctly throughout form-based consumer creation, or updates.
“Within the susceptible model, there aren’t any restrictions for kind fields, so the consumer’s position may be set arbitrarily, even to ‘administrator’, whatever the area settings, if there’s a position area added to the shape,” Wordfence defined in its advisory.
“As with all privilege escalation vulnerability, this can be utilized for full website compromise.”
In different phrases, any unauthenticated consumer can set themselves as admins for a WordPress website, basically taking on the positioning.
The vulnerability was found in variations 0.9.2.1 and earlier and is now being tracked as CVE-2025-14533. It was given a severity rating of 9.8/10 (crucial).
The silver lining is that it can’t be exploited simply. The websites want to make use of a ‘Create Consumer’ or ‘Replace Consumer’ kind with a job area mapped.
The bug was remedied in model 0.9.2.2. In accordance with WordPress’ official stats, roughly 50,000 web sites have already up to date to the most recent model, leaving roughly the identical variety of these which are nonetheless susceptible.
At press time, there was no proof of the flaw being abused within the wild, however now that the information is on the market, it’s protected to imagine that cybercriminals will begin at the least probing for vulnerabilities.
Through BleepingComputer
One of the best antivirus for all budgets
Observe TechRadar on Google Information and add us as a most well-liked supply to get our professional information, evaluations, and opinion in your feeds. Make certain to click on the Observe button!
And naturally you too can comply with TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.
[ad_2]
