{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14533", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T10:11:32.336Z", "datePublished": "2026-01-20T09:25:00.542Z", "dateUpdated": "2026-04-08T17:25:47.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:47.419Z"}, "affected": [{"vendor": "hwk-fr", "product": "Advanced Custom Fields: Extended", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.9.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field."}], "title": "Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "timeline": [{"time": "2025-12-11T10:28:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-19T21:07:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:09:44.703198Z", "id": "CVE-2025-14533", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:10:03.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T15:09:44.703198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:09:17.443Z"}}], "cna": {"title": "Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action", "credits": [{"lang": "en", "type": "finder", "value": "andrea bocchetti"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "hwk-fr", "product": "Advanced Custom Fields: Extended", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.9.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T10:28:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-19T21:07:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356"}], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:47.419Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14533", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:47.419Z", "dateReserved": "2025-12-11T10:11:32.336Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-20T09:25:00.542Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field."}, {"lang": "es", "value": "El plugin Advanced Custom Fields: Extended para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 0.9.2.1, inclusive. Esto se debe a que la funci\u00f3n 'insert_user' no restringe los roles con los que un usuario puede registrarse. Esto hace posible que atacantes no autenticados proporcionen el rol de 'administrator' durante el registro y obtengan acceso de administrador al sitio. Nota: La vulnerabilidad solo puede ser explotada si 'role' est\u00e1 mapeado al campo personalizado."}], "id": "CVE-2025-14533", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-20T10:16:05.583", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:01:28.765609+00:00", "value": {"mitigation_remediation": ["Update Advanced Custom Fields: Extended to version 0.9.2.2 or later", "If upgrading immediately is not possible, remove or disable the custom field that maps to the role so that users cannot set it during registration", "Restrict access to the user\u2011creation form or lock the site down temporarily until the plugin is updated"], "summary": {"action": "Patch Now", "impact": "Unauthenticated privilege escalation to administrator"}, "threat_synthesis": {"affected_systems": "All installations of the Advanced Custom Fields: Extended plugin up to and including version 0.9.2.1 are vulnerable. The vulnerability relies on the role field being mapped to a custom field in the form module. Sites that use this mapping and the affected plugin version are impacted; newer releases such as 0.9.2.2 and later are not affected.", "description_and_impact": "The Advanced Custom Fields: Extended plugin for WordPress contains a flaw that allows any user, even without authentication, to create a new user account with the administrator role. The flaw exists because the insert_user function does not enforce role restrictions when the value for the role field is supplied. If an attacker supplies the word \"administrator\" in the role field during a form submission, the plugin will create an account with full administrator privileges, providing complete control over the site.", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the issue is not listed in CISA's KEV catalog. The attack vector is web\u2011based: an unauthenticated user can submit the form that creates a new user. The flaw only works if the role mapping is enabled, which is common in default configurations. Once exploited, the attacker gains system\u2011wide administrative access, allowing modification of site content, plugins, users, and configuration."}}}}, "created": "2026-01-21T11:19:43.977712+00:00", "updated": "2026-04-20T21:15:20.621295+00:00", "vendors": ["hwk-fr", "hwk-fr$PRODUCT$advanced_custom_fields", "wordpress", "wordpress$PRODUCT$wordpress"]}