cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields: Extended, CVE-2026-8809

CVE, Research URL

CVE-2026-8809

Home page URL

Security reports for Advanced Custom Fields: Extended

Application

Advanced Custom Fields: Extended

Published on
May 29, 2026
Research Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
Affected versions
max 0.9.2.6.
Status
vulnerable
Previous vulnerability researches
PropertyHive (CVE-2026-42729) , May 28, 2026
PropertyHive (CVE-2024-37204) , Jun 24, 2024
PropertyHive (CVE-2025-58612) , Sep 05, 2025
PropertyHive (CVE-2024-8490) , Sep 18, 2024
PropertyHive (CVE-2025-66087) , Dec 10, 2025
New vulnerability
WP Contact Form 7 DB Handler (CVE-2026-6455) , May 29, 2026
Duplicate Page and Post (CVE-2026-49046) , May 29, 2026
a3 Lazy Load (CVE-2026-6427) , May 29, 2026
Advanced Custom Fields: Extended (CVE-2026-8809) , May 29, 2026
Master Slider – Responsive Touch Slider (CVE-2026-48968) , May 29, 2026