ACF plugin bug gives hackers admin on 50,000 WordPress sites
Recorded: Jan. 21, 2026, 12:03 a.m.
| Original | Summarized |
ACF plugin bug gives hackers admin on 50,000 WordPress sites News Featured Credential-stealing Chrome extensions target enterprise HR platforms Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Jordanian pleads guilty to selling access to 50 corporate networks Ingram Micro says ransomware attack affected 42,000 people Google says Gemini won’t have ads, as ChatGPT prepares to add them OpenAI rolls out age prediction model on ChatGPT to detect your age ACF plugin bug gives hackers admin on 50,000 WordPress sites VoidLink cloud malware shows clear signs of being AI-generated Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityACF plugin bug gives hackers admin on 50,000 WordPress sites ACF plugin bug gives hackers admin on 50,000 WordPress sites By Bill Toulas January 20, 2026 A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. The flaw arises from the lack of enforcement of role restrictions during form-based user creation or updates, and exploitation works even when role limitations are appropriately configured in the field settings. Plugin enumeration activitySource: GreyNoise The 2026 CISO Budget Benchmark Related Articles: Advanced Custom Fields Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Popular Stories Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs Credential-stealing Chrome extensions target enterprise HR platforms Malicious GhostPoster browser extensions found with 840,000 installs Sponsor Posts New webinar: Choose-your-own-investigation walkthrough of modern browser attacks Discover how to scale IT infrastructure reliably without adding toil or burnout. Identity Governance & Threat Detection in one: Get a guided tour of our platform Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A critical vulnerability, designated CVE-2025-14533, has been identified within the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, impacting approximately 50,000 websites. The flaw stems from a lack of role restrictions during the creation or update of users via the plugin’s ‘Create User’ or ‘Update User’ form actions. Specifically, versions 0.9.2.1 and earlier allow an unauthenticated attacker to arbitrarily set a user’s role, including elevating it to ‘administrator,’ regardless of configured field settings. This privilege escalation vulnerability was discovered by Andrea Bocchetti and reported to Wordfence on December 10, 2025, with the vendor releasing version 0.9.2.2 four days later. Concurrent with this vulnerability, threat monitoring firm GreyNoise has been conducting extensive WordPress plugin enumeration activity, targeting a range of plugins – including Post SMTP, Loginizer, LiteSpeed Cache, and SEO by Rank Math – across 145 ASNs and 706 distinct plugins. This reconnaissance campaign, spanning from late October 2025 to mid-January 2026, involved over 40,000 unique enumeration events. Notably, GreyNoise's records indicate that the Post SMTP flaw (CVE-2025-11833) was also subject to active exploitation, with 91 IPs involved in targeted attacks. The discovery of this vulnerability coincides with ongoing security concerns highlighted by Wordfence, who alerted the public to the CVE-2024-28000 flaw impacting LiteSpeed Cache, which was also recognized as actively exploited in August 2024. This underscores the dynamic nature of WordPress security and the continuous requirement for proactive monitoring and patching. The impact of the ACF Extended vulnerability is further complicated by the broad adoption of the plugin; approximately 100,000 websites currently utilize the vulnerable version, representing a significant attack surface. The GreyNoise activity provides valuable insight into broader WordPress security trends, suggesting a continued focus on enumerating potentially vulnerable plugins and exploiting known flaws. While no direct attacks targeting CVE-2025-14533 have been observed to date, the reconnaissance indicates a potential future threat landscape. Organizations relying on ACF Extended should prioritize patching to mitigate the risk of unauthorized administrative access. The ongoing activities of GreyNoise emphasize the importance of comprehensive website security audits and vulnerability scanning. Furthermore, the concurrent scrutiny of related vulnerabilities, such as the CVE-2024-28000 and CVE-2025-11833 exposures, highlights the interconnectedness of WordPress security and the need for a layered defense strategy. |