Critical Vulnerability in ACF Extended Plugin Exposes 50,000 WordPress Sites to Potential Takeover

A critical security vulnerability has been identified in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, potentially exposing around 50,000 websites to unauthorized administrative access. This flaw, tracked as CVE-2025-14533, was discovered by security researcher Andrea Bocchetti in December 2025 and reported to Wordfence. The vulnerability arises from improper role enforcement during user creation or updates via the plugin's frontend forms. Specifically, the issue allows unauthenticated users to assign themselves administrative roles, regardless of the field settings, by including a role field in the form. This oversight can lead to complete site compromise, including the creation of administrator accounts, installation of malware, and manipulation of site content. The flaw affects versions up to and including 0.9.2.1 of ACF Extended. A patched version, 0.9.2.2, was released promptly to address the issue. Despite the availability of the update, approximately 50,000 sites remain vulnerable, as indicated by WordPress' official statistics. While there have been no confirmed reports of exploitation, the widespread disclosure of this vulnerability increases the likelihood of cybercriminals probing for and exploiting these weaknesses. Website administrators are strongly advised to update to the latest version of ACF Extended immediately to mitigate potential risks. (wp-firewall.com)