Primary

Context

Advanced Custom Fields: Extended Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability has been identified in the Advanced Custom Fields: Extended plugin for WordPress, affecting versions 0.9.0.5 prior to 0.9.1.1. The vulnerability arises in the prepare_form() function, which improperly handles user input by passing it through call_user_func_array(). This flaw allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to the injection of backdoors or the creation of new administrative user accounts.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the potential to inject backdoors or create new administrative user accounts.

Remediation

Users are advised to update the Advanced Custom Fields: Extended plugin to version 0.9.2 or a newer patched version.

Added: Dec 3, 2025, 7:18 AM

Updated: Dec 3, 2025, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

8.2

remediation

7.7

relevance

1.2

threat

4.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

8.2

remediation

7.7

relevance

1.2

threat

4.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Advanced Custom Fields: Extended Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Advanced Custom Fields: Extended

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating