A critical vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin has exposed around 50,000 sites to potential hacker takeovers. Tracked as CVE-2025-14533, this flaw affects versions up to 0.9.2.1 and allows unauthenticated attackers to gain administrator privileges through flawed user creation forms. Discovered by researcher Andrea Bocchetti and reported via Wordfence on December 10, 2025, the issue was swiftly patched in version 0.9.2.2 just four days later. Despite the quick fix, download stats show many sites remain unpatched, leaving them vulnerable to remote exploitation.
The vulnerability originates in the plugin's 'Insert User / Update User' form action, where role restrictions are not properly enforced. Attackers can exploit this by submitting crafted requests that assign the 'administrator' role, bypassing any configured limitations in field settings.This privilege escalation requires sites to use forms with a 'role' field mapped to custom fields, a common setup for user registration features. Once successful, hackers achieve full site control, enabling data theft, malware injection, or backdoor installation without needing prior access.
ACF Extended, active on over 100,000 WordPress installations, builds on the popular Advanced Custom Fields plugin to offer developers advanced customization tools. Its widespread use amplifies the risk, as roughly half of users have yet to update since the patch release in mid-December 2025. WordPress sites relying on these plugins for dynamic content often overlook such configurations, inadvertently creating attack vectors.
This privilege escalation bug allows attackers to arbitrarily assign the 'administrator' role during user registration or updates, bypassing any configured limitations in field settings. Exploitation requires sites using ACF Extended forms with a 'role' field mapped to custom fields, a common setup for advanced user management in custom themes and plugins. Once exploited, hackers gain full control, enabling them to install malicious code, steal data, or pivot to server-level compromises without needing credentials.
Threat intelligence from GreyNoise reveals aggressive reconnaissance scanning 706 WordPress plugins, including ACF Extended, by nearly 1,000 IPs across 145 ASNs from late October 2025 to mid-January 2026. While no confirmed exploits of CVE-2025-14533 have surfaced, patterns mirror attacks on vulnerabilities like those in Post SMTP and LiteSpeed Cache, signaling imminent danger.This enumeration boom underscores how attackers probe for unpatched flaws before launching mass campaigns.
Site owners must urgently update to ACF Extended 0.9.2.2 or later via the WordPress dashboard and audit forms for role mappings.Additional steps include disabling public registration, reviewing user accounts for anomalies, and deploying firewalls like Wordfence for real-time blocking. In WordPress's vast ecosystem, proactive patching remains the frontline defense against such admin takeovers, preventing potential site-wide devastation.