ACF Extended Plugin Faces WordPress Security Flaw

A serious security flaw has been identified in the Advanced Custom Fields: Extended WordPress plugin, placing up to 100,000 websites at risk of a full site takeover by attackers who do not need to be logged in.

The issue, which carries a critical severity score of 9.8, allows an unauthenticated user to create an account with administrator-level permissions, giving them complete control over a vulnerable website.

Advanced Custom Fields: Extended is an add-on for the widely used Advanced Custom Fields Pro plugin. It is popular with developers and site owners who use it to enhance custom field functionality, build front-end forms, manage options pages, define custom post types and taxonomies, and tailor the WordPress admin area.

Because the plugin is often used on sites that rely heavily on front-end user interaction and advanced content workflows, the potential impact of this vulnerability is particularly serious.

The flaw can be exploited without any prior access to the site. This means attackers do not need stolen login details or existing user accounts to attempt an attack, significantly increasing the overall risk.

At the heart of the issue is a privilege escalation weakness linked to how the plugin handles user registration. The problem stems from the plugin’s insert_user function, which fails to properly restrict which user roles can be assigned when a new account is created.

Under normal circumstances, WordPress tightly controls role assignment during registration. However, this protection was effectively bypassed when certain plugin configurations were in place.

The vulnerability occurs when a front-end form created with the plugin maps a custom field directly to the WordPress user role field. In this scenario, the plugin accepted whatever role value was submitted without checking whether it was allowed.

In practice, this meant an attacker could inspect the form’s HTML, identify the role field, and alter the request before submission. Instead of registering as a subscriber, for example, they could change the value to “administrator”.

Because the plugin relied on client-side restrictions rather than server-side checks, the manipulated request was accepted and passed directly to WordPress’s user creation process.

This lack of backend validation meant the plugin trusted user input it should never have trusted, opening the door to complete site compromise.

Once exploited, the attacker would gain full administrator access. With this level of control, they could install or modify plugins and themes, inject malicious code, create hidden backdoor accounts, steal or alter site data, redirect visitors, or distribute malware.

Security firm Wordfence confirmed that the vulnerability affects all plugin versions up to and including 0.9.2.1. It also reported blocking active exploitation attempts, suggesting attackers are already scanning for exposed sites.

The issue has now been fixed in version 0.9.2.2. The update introduces stronger server-side validation for front-end form submissions and adds specific safeguards around user role selection.

According to the plugin changelog, the patch enforces validation against defined field choices, adds new security measures for role-based forms, and introduces hooks to improve form validation control.

Site owners running Advanced Custom Fields: Extended are strongly advised to update to the latest version immediately. If an update is not possible, the safest option is to disable the plugin until the fix can be applied.

Given the critical nature of the vulnerability and the ease with which it can be exploited, leaving affected sites unpatched poses a serious and ongoing security risk.