CVE-2025-13486

Published Dec 3, 2025

Last updated 19 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-13486 is a remote code execution (RCE) vulnerability affecting the Advanced Custom Fields: Extended plugin for WordPress. Specifically, versions 0.9.0.5 through 0.9.1.1 are affected. The vulnerability lies in the `prepare_form()` function, which improperly handles user input by passing it to PHP's `call_user_func_array()` without sufficient validation. This vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP code on the server hosting the WordPress site. This can be leveraged to inject backdoors or create new administrative user accounts, potentially granting them full control over affected websites. The vulnerability was discovered by dudekmar and reported through the Wordfence Bug Bounty Program. Version 0.9.2 of the plugin has addressed the vulnerability.

Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@wordfence.com: CWE-94

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 16

References