module
WordPress ACF Extended Unauthenticated RCE via prepare_form()
| Disclosed |
|---|
| Dec 2, 2025 |
Disclosed
Dec 2, 2025
Description
This module exploits an unauthenticated Remote Code Execution vulnerability in the
Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5
through 0.9.1.1. The vulnerability exists in the prepare_form() function of the
acfe_module_form_front_render class, which accepts user-controlled input via the
form[render] parameter and passes it directly to call_user_func_array() without
proper sanitization.
This exploit requires a WordPress page containing an ACF Extended form widget, which
exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option
must be set to the path of such a page.
Once an administrator account is created via wp_insert_user(), the module uploads
and executes a malicious plugin to achieve remote code execution (RCE).
Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5
through 0.9.1.1. The vulnerability exists in the prepare_form() function of the
acfe_module_form_front_render class, which accepts user-controlled input via the
form[render] parameter and passes it directly to call_user_func_array() without
proper sanitization.
This exploit requires a WordPress page containing an ACF Extended form widget, which
exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option
must be set to the path of such a page.
Once an administrator account is created via wp_insert_user(), the module uploads
and executes a malicious plugin to achieve remote code execution (RCE).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.