Critical WordPress Plugin Vulnerability Exposes Over 100,000 Sites to Privilege Escalation Attacks
A severe security flaw has been identified in the widely used Advanced Custom Fields: Extended WordPress plugin, placing more than 100,000 websites at significant risk. This vulnerability, designated as CVE-2025-14533, affects all plugin versions up to and including 0.9.2.1 and has been assigned a critical CVSS score of 9.8. If exploited, it allows unauthenticated attackers to gain administrator-level access to vulnerable sites by manipulating user registration forms.
Understanding the Vulnerability
The core issue arises from the plugin’s handling of user creation through custom forms. Website administrators can design registration or profile forms using field groups that collect data such as username, email, password, and user role. Typically, role selection should be strictly controlled, permitting only safe roles like ‘subscriber’ for new users. However, in the affected versions, this control is inadequate, leading to potential exploitation.
Security analysts at Wordfence discovered that the plugin’s `insert_user` form action does not adequately restrict which roles can be assigned during registration when a role field is mapped. This oversight enables attackers to submit crafted requests that assign themselves the ‘administrator’ role, even if the form interface appears to limit role options. Once processed, the attacker gains full administrative privileges on the site.
Potential Impact
With administrative access, attackers can fully compromise the affected WordPress installation. They can upload malicious plugins or themes containing hidden backdoors, modify content to redirect visitors to phishing or malware sites, and implant spam or SEO poisoning payloads. Given the plugin’s extensive installation base and the ease of exploitation when a vulnerable form is present, the potential impact is severe for any site with such a user action form exposed to the public internet.
Technical Details
The vulnerability resides in the plugin’s flexible form system, designed to allow site owners to create custom user management workflows without coding. Typically, an administrator defines a field group that includes fields for user information and links it to a Create user or Update user form action. One of these fields can be a role selector, which, on the surface, appears to be limited by an Allow User Role setting.
When a form is submitted, the plugin calls the `insert_user()` function inside the `acfe_module_form_action_user` class. This function collects all submitted values, including any mapped role field, and passes them directly into WordPress’ native `wp_insert_user()` function. The issue is that, in the vulnerable versions, the plugin does not enforce the role restriction configured in the field group. The form settings provide a false sense of security, but the backend logic does not honor those limits.
Consequently, if a public-facing form includes a role field, an attacker can submit a request that assigns themselves the ‘administrator’ role, leading to a complete site takeover.
Mitigation Measures
Upon disclosure, the plugin vendor released a fix in version 0.9.2.2, and security vendors have issued protections to block exploit attempts at the firewall level. However, unpatched sites that rely solely on application-level defenses remain attractive targets for opportunistic attackers scanning for misconfigured registration forms.
Recommendations for Site Administrators
1. Immediate Update: Ensure that the Advanced Custom Fields: Extended plugin is updated to version 0.9.2.2 or later.
2. Review User Registration Forms: Examine all user registration and profile forms to ensure they do not expose role selection fields to unauthenticated users.
3. Implement Additional Security Measures: Consider deploying Web Application Firewalls (WAFs) and other security tools to monitor and block unauthorized access attempts.
4. Regular Security Audits: Conduct periodic security assessments to identify and remediate potential vulnerabilities in your WordPress installation and associated plugins.
Conclusion
The discovery of CVE-2025-14533 underscores the critical importance of maintaining up-to-date software and implementing robust security practices. By promptly updating the affected plugin and reviewing site configurations, administrators can protect their websites from potential exploitation and ensure the safety of their users.
