AI description
CVE-2025-13486 is a remote code execution (RCE) vulnerability affecting the Advanced Custom Fields: Extended plugin for WordPress. Specifically, versions 0.9.0.5 through 0.9.1.1 are affected. The vulnerability lies in the `prepare_form()` function, which improperly handles user input by passing it to PHP's `call_user_func_array()` without sufficient validation. This vulnerability allows unauthenticated attackers to inject and execute arbitrary PHP code on the server hosting the WordPress site. This can be leveraged to inject backdoors or create new administrative user accounts, potentially granting them full control over affected websites. The vulnerability was discovered by dudekmar and reported through the Wordfence Bug Bounty Program. Version 0.9.2 of the plugin has addressed the vulnerability.
- Description
- The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-94
- Hype score
- Not currently trending
#VulnerabilityReport #ACFExtended Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites https://t.co/UxPaZEDf90
@Komodosec
7 Jan 2026
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-13486 https://t.co/FB9Dtix1pI
@hyunchiya
2 Jan 2026
67 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-13486-exploit #exploit CVE-2025-13486 - Remote Code Execution & Privilege Escalation exploit https://t.co/LmFc5gjqGp
@TheExploitLab
22 Dec 2025
123 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
๐จ CVE-2025-13486 - critical ๐จ Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution > Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a ... ๐พ https://t.co/XY8Pe8dfjw @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
15 Dec 2025
172 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
๐ ๐๐๐ญ๐๐ฌ๐ญ ๐๐๐ ๐๐ซ๐๐๐ค๐๐จ๐ฐ๐ง ๐๐ฏ๐๐ข๐ฅ๐๐๐ฅ๐ ๐ง๐จ๐ฐ! A severe WordPress flaw allows remote code execution on 100K+ sites. Learn how to patch CVE-2025-13486 and protect your business today. ๐ Get the
@PurpleOps_io
3 Dec 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-13486: CRITICAL] Vulnerability in WordPress plugin "Advanced Custom Fields: Extended" allows Remote Code Execution in versions 0.9.0.5-0.9.1.1 via prepare_form() function, enabling unauthorized acc...#cve,CVE-2025-13486,#cybersecurity https://t.co/2KkXa23JGC https://t.c
@CveFindCom
3 Dec 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-13486 The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. โฆ https://t.co/0cM71E8cqw
@CVEnew
3 Dec 2025
353 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
WordPressใฎไบบๆฐๆกๅผตใใฉใฐใคใณใซๆช่ช่จผใงใชใขใผใใณใผใๅฎ่กใๅฏ่ฝใจใชใ่ดๅฝ็ๆฌ ้ฅใ่ฆใคใใฃใใๅ ฅๅๅฆ็ใฎ่จญ่จไธๅใ็ชใใใใฐใๆปๆ่ ใไปปๆๆไฝใงใตใคใๆฏ้ ใซ่ณใๅฑ้บใใใ(CVE-2025-13486)ใ
@yousukezan
3 Dec 2025
11668 Impressions
40 Retweets
80 Likes
37 Bookmarks
0 Replies
1 Quote