cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields: Extended, CVE-2025-13486

CVE, Research URL

CVE-2025-13486

Home page URL

Security reports for Advanced Custom Fields: Extended

Application

Advanced Custom Fields: Extended

Published on
Dec 03, 2025
Research Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Affected versions
max 0.9.2.
Status
vulnerable
Previous vulnerability researches
Magento 2 WordPress Integration (CVE-2025-58669) , Oct 11, 2025
New vulnerability
Event Tickets and Registration (CVE-2025-62027) , Dec 11, 2025
Event Tickets and Registration (CVE-2025-11517) , Dec 11, 2025
Eupago Gateway For Woocommerce (CVE-2025-62870) , Dec 11, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-13196) , Dec 11, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-11536) , Dec 11, 2025