module

WordPress ACF Extended Unauthenticated RCE via prepare_form()

Try Surface Command
Back to search
Disclosed
Dec 2, 2025
Created
Dec 19, 2025

Description

This module exploits an unauthenticated Remote Code Execution vulnerability in the
Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5
through 0.9.1.1. The vulnerability exists in the prepare_form() function of the
acfe_module_form_front_render class, which accepts user-controlled input via the
form[render] parameter and passes it directly to call_user_func_array() without
proper sanitization.

This exploit requires a WordPress page containing an ACF Extended form widget, which
exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option
must be set to the path of such a page.

Once an administrator account is created via wp_insert_user(), the module uploads
and executes a malicious plugin to achieve remote code execution (RCE).

Authors

Marcin Dudek (dudekmar) - CERT.PL
Valentin Lobstein [email protected]

Platform

Linux,PHP,Unix,Windows

Architectures

php, cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/multi/http/wp_acf_extended_rce
    msf exploit(wp_acf_extended_rce) > show targets
        ...targets...
    msf exploit(wp_acf_extended_rce) > set TARGET < target-id >
    msf exploit(wp_acf_extended_rce) > show options
        ...show and set options...
    msf exploit(wp_acf_extended_rce) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today