50,000 WordPress website affected in main plugin safety flaw - here is how one can keep secure

[ad_1]

Vital bug in ACF: Prolonged WordPress plugin permits arbitrary function escalation to administratorAbout 50,000 WordPress websites are susceptible regardless of patch in model 0.9.2.2No exploitation reported but, however attackers more likely to probe uncovered websites quickly Round 50,000 WordPress web sites are presently liable to full website takeover, on account of a critical-severity vulnerability that was not too long ago found in a well-liked plugin.

In mid-December 2025, Wordfence was notified by safety researcher Andrea Bocchetti of a vulnerability in Superior Customized Fields: Prolonged, a plugin which provides extra options to the Superior Customized Fields (ACF) plugin.

ACF additionally lets customers add customized fields to posts and pages, and it's presently being actively utilized by round 100,000 WordPress web sites.

It's possible you'll like

Find out how to keep secure Bocchetti stated that the bug stems from function restrictions not being enforced correctly throughout form-based person creation, or updates.

"Within the susceptible model, there aren't any restrictions for kind fields, so the person's function will be set arbitrarily, even to 'administrator', whatever the subject settings, if there's a function subject added to the shape," Wordfence defined in its advisory.

"As with all privilege escalation vulnerability, this can be utilized for full website compromise.”

In different phrases, any unauthenticated person can set themselves as admins for a WordPress website, primarily taking on the location.

Signal as much as the TechRadar Professional e-newsletter to get all the highest information, opinion, options and steerage your corporation must succeed!

The vulnerability was found in variations 0.9.2.1 and earlier and is now being tracked as CVE-2025-14533. It was given a severity rating of 9.8/10 (essential).

The silver lining is that it can't be exploited simply. The websites want to make use of a ‘Create Person’ or ‘Replace Person’ kind with a task subject mapped.

The bug was remedied in model 0.9.2.2. In line with WordPress’ official stats, roughly 50,000 web sites have already up to date to the most recent model, leaving roughly the identical variety of these which might be nonetheless susceptible.

It's possible you'll like

At press time, there was no proof of the flaw being abused within the wild, however now that the information is on the market, it's secure to imagine that cybercriminals will begin at the least probing for vulnerabilities.

Through BleepingComputer

<img alt="Best antivirus software header" srcset="https://cdn.mos.cms.futurecdn.net/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png 140w" sizes="99vw" class="person__avatar image-wrapped__image image__image" loading="lazy" data-normal="https://cdn.mos.cms.futurecdn.net/HpHXmtXFPnuzaQ8m9xNW8j.png" src="https://cdn.mos.cms.futurecdn.net/HpHXmtXFPnuzaQ8m9xNW8j.png" data-pin-media="https://cdn.mos.cms.futurecdn.net/HpHXmtXFPnuzaQ8m9xNW8j.png" data-pin-nopin="true" data-slice-image="true"/> The most effective antivirus for all budgets

Our prime picks, primarily based on real-world testing and comparisons Comply with TechRadar on Google Information and add us as a most popular supply to get our professional information, opinions, and opinion in your feeds. Ensure to click on the Comply with button!

And naturally it's also possible to observe TechRadar on TikTok for information, opinions, unboxings in video kind, and get common updates from us on WhatsApp too.