vulnerability

WordPress Plugin: acf-extended: CVE-2025-14533: Improper Privilege Management

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 19, 2026	Jan 20, 2026	Jan 21, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 19, 2026

Added

Jan 20, 2026

Modified

Jan 21, 2026

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

Solution

acf-extended-plugin-cve-2025-14533

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-14533
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=api-prod
CVE-2025-14533
https://attackerkb.com/topics/CVE-2025-14533
CWE-269

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today