A critical vulnerability in the Advanced Custom Fields: Extended WordPress plugin allows unauthenticated attackers to gain administrative privileges, and roughly 50,000 sites remain exposed, a technical analysis by Wordfence warned.
KEY FACTS
- Incident CVE-2025-14533 allows role escalation via the plugin form action
- Affected sites ACF Extended is active on about 100,000 sites with roughly 50,000 potentially exposed
- Versions Affects ACF Extended 0.9.2.1 and earlier fixed in 0.9.2.2
- Vector Unauthenticated remote attackers can set a user role through form fields
The vulnerability arises from a failure to enforce role restrictions when the plugin processes the Insert User or Update User form actions. Attackers can set the role field arbitrarily even if field settings limit roles.
Researcher Andrea Bocchetti discovered the issue on December 10, 2025 and submitted a report for validation. The vendor issued a fix four days later in ACF Extended version 0.9.2.2.
Based on download statistics, the plugin is active on about 100,000 websites. Roughly 50,000 users downloaded the plugin after the patch was released, which leaves a similar number of installations that may still run vulnerable versions.
The flaw is exploitable only on sites that explicitly use a Create User or Update User form with a role field mapped. No confirmed attacks targeting CVE-2025-14533 have been observed at this time.
WHY IT MATTERS
The vulnerability permits privilege escalation that can lead to full site compromise when exploited. Administrators of sites using form-based user creation should update to ACF Extended 0.9.2.2 and review any user creation forms that include role fields.