CVE-2026-8809
Deferred Deferred - Pending Action
Privilege Escalation in Advanced Custom Fields Extended

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter β€” with no authentication or integrity verification β€” to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8809
EUVD
EUVD-2026-33165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advanced_custom_fields extended to 0.9.2.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Advanced Custom Fields: Extended plugin for WordPress has a vulnerability called Privilege Escalation via Validation Bypass in versions up to 0.9.2.5. This happens because the function after_validate_save_post() trusts an attacker-controlled parameter (_acf_post_id) without checking authentication or integrity. This allows attackers to bypass validation errors and create a new administrator-level user account without proper authorization.

Impact Analysis

This vulnerability can allow unauthenticated attackers to create new administrator accounts on a vulnerable WordPress site. This means attackers can gain full control over the site, potentially leading to data theft, site defacement, or further malicious activities.

Mitigation Strategies

To mitigate this vulnerability, you should update the Advanced Custom Fields: Extended plugin for WordPress to a version later than 0.9.2.5 where this issue is fixed.

Additionally, ensure that your WordPress site does not expose a public ACFE frontend form configured with a Create User action that maps a role field, as this configuration is required for exploitation.

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the Advanced Custom Fields: Extended plugin version 0.9.2.5 or earlier and if it exposes a public ACFE frontend form configured with a Create User action that maps a role field.

Since the vulnerability involves an unauthenticated POST parameter (_acf_post_id) that bypasses validation to create an administrator user, detection can involve monitoring for suspicious POST requests to the site that include the _acf_post_id parameter.

  • Use web server access logs to search for POST requests containing '_acf_post_id'. For example, using grep on Apache or Nginx logs:
  • grep '_acf_post_id' /var/log/apache2/access.log
  • grep '_acf_post_id' /var/log/nginx/access.log
  • Check for creation of new administrator users in WordPress by querying the database or using WP-CLI:
  • wp user list --role=administrator

Monitoring for unexpected new administrator accounts or unusual POST requests with the _acf_post_id parameter can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart