According to Roger Montti’s article on Search Engine Journal, “WordPress Advanced Custom Fields Extended Plugin Vulnerability,” a critical security flaw has been identified in the Advanced Custom Fields: Extended WordPress plugin that could allow unauthenticated attackers to take over affected websites fully.
Critical Vulnerability Overview
Montti reports that the flaw is rated 9.8 (Critical) and impacts up to 100,000 active installations of the ACF Extended plugin, an add-on to Advanced Custom Fields Pro widely used for front-end forms and advanced content workflows.
The vulnerability allows attackers to register new user accounts with administrator privileges, giving them complete control over a WordPress site, including plugins, themes, settings, and data.
Root Cause: Privilege Escalation via User Registration
The issue stems from a privilege escalation flaw in the plugin’s insert_user function. According to Montti, the plugin failed to enforce server-side restrictions on which user roles could be assigned during front-end user registration.
When a site used a front-end form that mapped a custom field directly to the WordPress user role field, attackers could manipulate the form submission to assign themselves the administrator role, even if the form was intended to allow only lower-privilege roles such as Subscriber.
The plugin relied on front-end form controls to limit role selection but did not validate submitted values on the backend, allowing attackers to bypass those restrictions.
Exploitation Conditions and Impact
Montti notes that exploitation requires specific conditions:
- The site must use an ACF Extended front-end form
- The form must allow user registration.
- A custom field must be mapped to the WordPress role field.
When those conditions are met, attackers can gain full administrative access. Wordfence has confirmed active exploitation attempts, indicating that attackers are already scanning for vulnerable sites.
With administrator access, attackers can install malware, create backdoor accounts, redirect traffic, steal data, or completely compromise the site.
Patch and Recommendations
The vulnerability affects all versions up to and including 0.9.2.1 and was fixed in version 0.9.2.2. The patch adds server-side validation to ensure submitted form values match allowed role choices and introduces additional security hooks for form handling.
Montti strongly advises site owners to update immediately. If updating is not possible, the plugin should be disabled until the fix can be applied.
Given the severity of the flaw and the lack of authentication, delaying action leaves sites exposed to a full takeover, making this one of the most serious WordPress plugin vulnerabilities disclosed this year.