CVE-2025-13486

Published Dec 3, 2025

Last updated 3 months ago

CVSS critical 9.8

Overview

Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-94

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #ACFExtended Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites https://t.co/UxPaZEDf90

    @Komodosec

    7 Jan 2026

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-13486 https://t.co/FB9Dtix1pI

    @hyunchiya

    2 Jan 2026

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-13486-exploit #exploit CVE-2025-13486 - Remote Code Execution & Privilege Escalation exploit https://t.co/LmFc5gjqGp

    @TheExploitLab

    22 Dec 2025

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ๐Ÿšจ CVE-2025-13486 - critical ๐Ÿšจ Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution > Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a ... ๐Ÿ‘พ https://t.co/XY8Pe8dfjw @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    15 Dec 2025

    172 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. ๐Ÿ” ๐‹๐š๐ญ๐ž๐ฌ๐ญ ๐‚๐•๐„ ๐›๐ซ๐ž๐š๐ค๐๐จ๐ฐ๐ง ๐š๐ฏ๐š๐ข๐ฅ๐š๐›๐ฅ๐ž ๐ง๐จ๐ฐ! A severe WordPress flaw allows remote code execution on 100K+ sites. Learn how to patch CVE-2025-13486 and protect your business today. ๐Ÿ”— Get the

    @PurpleOps_io

    3 Dec 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. [CVE-2025-13486: CRITICAL] Vulnerability in WordPress plugin "Advanced Custom Fields: Extended" allows Remote Code Execution in versions 0.9.0.5-0.9.1.1 via prepare_form() function, enabling unauthorized acc...#cve,CVE-2025-13486,#cybersecurity https://t.co/2KkXa23JGC https://t.c

    @CveFindCom

    3 Dec 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-13486 The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. โ€ฆ https://t.co/0cM71E8cqw

    @CVEnew

    3 Dec 2025

    353 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. WordPressใฎไบบๆฐ—ๆ‹กๅผตใƒ—ใƒฉใ‚ฐใ‚คใƒณใซๆœช่ช่จผใงใƒชใƒขใƒผใƒˆใ‚ณใƒผใƒ‰ๅฎŸ่กŒใŒๅฏ่ƒฝใจใชใ‚‹่‡ดๅ‘ฝ็š„ๆฌ ้™ฅใŒ่ฆ‹ใคใ‹ใฃใŸใ€‚ๅ…ฅๅŠ›ๅ‡ฆ็†ใฎ่จญ่จˆไธๅ‚™ใ‚’็ชใ‹ใ‚Œใ‚Œใฐใ€ๆ”ปๆ’ƒ่€…ใŒไปปๆ„ๆ“ไฝœใงใ‚ตใ‚คใƒˆๆ”ฏ้…ใซ่‡ณใ‚‹ๅฑ้™บใŒใ‚ใ‚‹(CVE-2025-13486)ใ€‚

    @yousukezan

    3 Dec 2025

    11668 Impressions

    40 Retweets

    80 Likes

    37 Bookmarks

    0 Replies

    1 Quote

References

Sources include official advisories and independent security research.