CVE-2025-13486
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress sites running vulnerable versions of the Advanced Custom Fields: Extended plugin. Attackers can inject backdoors, create administrative accounts, or take full control of affected websites. All WordPress sites using this plugin in the vulnerable version range are affected.
💻 Affected Systems
- Advanced Custom Fields: Extended WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to install persistent backdoors, steal sensitive data, deface websites, or use the server for further attacks.
Likely Case
Attackers create administrative WordPress accounts, inject web shells, or deploy cryptocurrency miners on vulnerable servers.
If Mitigated
With proper web application firewalls and intrusion detection systems, attacks may be blocked or detected before causing significant damage.
🎯 Exploit Status
Exploitation is trivial and requires no authentication. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.1.2 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3400134/acf-extended
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Advanced Custom Fields: Extended. 4. Click Update Now. 5. Verify version is 0.9.1.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Advanced Custom Fields: Extended plugin until patched
wp plugin deactivate acf-extended
Web Application Firewall rule
allBlock requests to the prepare_form() function endpoint
🧯 If You Can't Patch
- Immediately disable the Advanced Custom Fields: Extended plugin
- Implement strict network segmentation and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Advanced Custom Fields: Extended versionCheck Version:
wp plugin get acf-extended --field=versionVerify Fix Applied:
Verify plugin version is 0.9.1.2 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with action=acfe/form/prepare
- Sudden creation of new WordPress admin users
- Unexpected PHP file uploads or modifications
Network Indicators:
- HTTP requests containing call_user_func_array patterns
- Traffic to known malicious domains from WordPress server
SIEM Query:
source="wordpress.logs" AND ("acfe/form/prepare" OR "call_user_func_array")