Vulnerabilities and security researches foracf-extended acf-extended

May 13, 2026

CVE, Research URL: CVE-2025-15463
Home page URL: Security reports for Advanced Custom Fields: Extended
Application: Advanced Custom Fields: Extended
Date: May 13, 2026
Research Description: The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected versions: max 0.9.2.4.
Status: vulnerable

Jan 28, 2026

CVE, Research URL: CVE-2025-14533
Home page URL: Security reports for Advanced Custom Fields: Extended
Application: Advanced Custom Fields: Extended
Date: Jan 20, 2026
Research Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
Affected versions: max 0.9.2.2.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-13486
Home page URL: Security reports for Advanced Custom Fields: Extended
Application: Advanced Custom Fields: Extended
Date: Dec 03, 2025
Research Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Affected versions: max 0.9.2.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2023-5292
Home page URL: Security reports for Advanced Custom Fields: Extended
Application: Advanced Custom Fields: Extended
Date: Oct 20, 2023
Research Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 0.8.9.4.
Status: vulnerable

CVE, Research URL: CVE-2021-24865
Home page URL: Security reports for Advanced Custom Fields: Extended
Application: Advanced Custom Fields: Extended
Date: Jan 24, 2022
Research Description: The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue
Affected versions: max 0.8.8.7.
Status: vulnerable