CVE-2026-8809
Privilege Escalation in Advanced Custom Fields Extended
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advanced_custom_fields | extended | to 0.9.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Advanced Custom Fields: Extended plugin for WordPress has a vulnerability called Privilege Escalation via Validation Bypass in versions up to 0.9.2.5. This happens because the function after_validate_save_post() trusts an attacker-controlled parameter (_acf_post_id) without checking authentication or integrity. This allows attackers to bypass validation errors and create a new administrator-level user account without proper authorization.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to create new administrator accounts on a vulnerable WordPress site. This means attackers can gain full control over the site, potentially leading to data theft, site defacement, or further malicious activities.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Advanced Custom Fields: Extended plugin for WordPress to a version later than 0.9.2.5 where this issue is fixed.
Additionally, ensure that your WordPress site does not expose a public ACFE frontend form configured with a Create User action that maps a role field, as this configuration is required for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the Advanced Custom Fields: Extended plugin version 0.9.2.5 or earlier and if it exposes a public ACFE frontend form configured with a Create User action that maps a role field.
Since the vulnerability involves an unauthenticated POST parameter (_acf_post_id) that bypasses validation to create an administrator user, detection can involve monitoring for suspicious POST requests to the site that include the _acf_post_id parameter.
- Use web server access logs to search for POST requests containing '_acf_post_id'. For example, using grep on Apache or Nginx logs:
- grep '_acf_post_id' /var/log/apache2/access.log
- grep '_acf_post_id' /var/log/nginx/access.log
- Check for creation of new administrator users in WordPress by querying the database or using WP-CLI:
- wp user list --role=administrator
Monitoring for unexpected new administrator accounts or unusual POST requests with the _acf_post_id parameter can help detect exploitation attempts.