CVE-2025-13486 in Advanced Custom Fields Plugin
Summary
by MITRE • 12/03/2025
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/04/2025
The Advanced Custom Fields: Extended plugin for WordPress represents a widely used extension that enhances custom field functionality within the WordPress ecosystem. This particular vulnerability affects versions ranging from 0.9.0.5 through 0.9.1.1, creating a significant security risk for WordPress installations that utilize this plugin. The vulnerability stems from improper input validation and sanitization within the prepare_form() function, which operates as a critical entry point for malicious exploitation. The flaw exists in the plugin's architecture where user-supplied data is not adequately filtered or validated before being processed, creating an exploitable pathway for remote attackers to gain unauthorized access to affected systems.
The technical implementation of this vulnerability involves the dangerous use of call_user_func_array() function within the prepare_form() method, which serves as a primary attack vector for remote code execution. This function allows dynamic execution of PHP code based on user input, effectively bypassing normal security restrictions and access controls. When user data is passed directly to call_user_func_array() without proper sanitization, attackers can manipulate the input to execute arbitrary PHP commands on the target server. This vulnerability falls under the CWE-94 category of "Improper Control of Generation of Code ('Code Injection')" and represents a classic example of unsafe dynamic code execution that has been documented in numerous security advisories across the industry.
The operational impact of this vulnerability extends far beyond simple code execution capabilities, as it provides attackers with comprehensive control over affected WordPress installations. Unauthenticated attackers can leverage this vulnerability to inject backdoors into the system, establish persistent access, and potentially escalate privileges to administrative levels. The ability to create new administrative user accounts represents a particularly dangerous aspect of this vulnerability, as it allows attackers to maintain long-term access even if the initial exploit is patched. This type of attack aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PowerShell" and T1566.001 for "Phishing: Spearphishing Attachment," as attackers can use the compromised system to further propagate their attacks. The vulnerability creates a persistent threat that can be exploited across multiple sessions and can potentially compromise entire WordPress networks if multiple sites use the vulnerable plugin.
Organizations should immediately implement mitigation strategies that include disabling or removing the vulnerable plugin from affected systems, applying the latest available patches from the plugin developers, and monitoring system logs for signs of exploitation attempts. Network-based intrusion detection systems should be configured to monitor for suspicious patterns related to the vulnerable function calls and unusual file modifications. Additionally, security teams should conduct comprehensive vulnerability assessments to identify all instances of the affected plugin versions and ensure proper input validation measures are implemented. The remediation process should include implementing web application firewalls to filter malicious requests and establishing monitoring protocols to detect unauthorized administrative account creation. Regular security audits and penetration testing should be conducted to verify the effectiveness of implemented controls and to identify any potential secondary vulnerabilities that may have been introduced during the exploitation process.