CVE-2025-13486 Scanner

Advanced Custom Fields Extended is a popular WordPress plugin used extensively by developers to enhance the capabilities of custom fields in WordPress websites. Typically employed by web developers, this plugin assists them in creating customized interfaces and experiences on WordPress-based sites. It's widely adopted across diverse industries, allowing unique content management options adaptable to specific business needs. Users range from individual bloggers to large corporations aiming for enhanced content personalization. The plugin enables the addition of custom fields and functionalities within WordPress, promoting sophisticated content strategies. Such widespread use in WordPress projects makes the security of this plugin critically important.

The Remote Code Execution (RCE) vulnerability allows an attacker to execute arbitrary code on a server where the plugin is installed, without needing authentication. Exploitation is straightforward since the vulnerability stems from insufficient input validation in the handling of user data. Once exploited, malicious actors can control the server, leading to serious security breaches like backdoor installation or unauthorized admin account creation. This vulnerability is critical because it threatens the integrity, confidentiality, and availability of the affected systems. As a result, it demands immediate attention and remediation.

The vulnerability lies within the prepare_form() function of the Advanced Custom Fields Extended plugin, which insecurely uses the call_user_func_array() function. Malicious users can exploit this by sending crafted requests to the affected endpoint, /wp-admin/admin-ajax.php, with specific parameters that bypass necessary checks. The handling of form data does not properly sanitize input, thus allowing arbitrary code execution. The flaw is exploited post-authentication due to unsanitized variables in form inputs, leading to execution of unauthorized commands. The misuse of this function triggers vulnerabilities through inadequate examination of the request's authenticity and legitimacy.

Exploiting this RCE vulnerability can have severe impacts, including unauthorized access to sensitive data, modification of existing website content, and broader system compromise for further attacks. It may also facilitate the installation of backdoors, providing persistent access for attackers. Additionally, malicious actors could use compromised systems to launch attacks against other systems. In severe cases, it can lead to legal repercussions for data breaches, damaging reputational trust for businesses relying on affected systems. Such compromises underscore the necessity for regular updates and security audits of WordPress plugins and components.

REFERENCES

• https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/
• https://nvd.nist.gov/vuln/detail/CVE-2025-13486