Volerion logoVolerion
Volerion logoVolerion

Advanced Custom Fields: Extended WordPress Plugin Unauthenticated Arbitrary Shortcode Execution Vulnerability

Vulnerability

A vulnerability allowing unauthenticated arbitrary shortcode execution has been identified in the Advanced Custom Fields: Extended plugin for WordPress, affecting all versions through 0.9.2.3. The issue arises because the plugin allows users to execute actions without proper validation, enabling the execution of arbitrary shortcodes via the email action in forms.

Impact

Exploitation of this vulnerability allows for arbitrary shortcode execution, which could lead to various impacts depending on the executed shortcode.

Reproduction

To reproduce this vulnerability, create a form using the Advanced Custom Fields: Extended plugin version 0.9.2.3 or earlier. Include the email action in the form. Once the form is submitted, the vulnerability can be exploited by injecting a shortcode that is not properly validated before execution. This can be done by manipulating the form's success message or using a mapped field group.

Remediation

Users are advised to update the Advanced Custom Fields: Extended plugin to version 0.9.2.4 or a newer patched version.

Added: May 12, 2026, 11:25 PM
Updated: May 12, 2026, 11:25 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
2.5
exploitability
8.0
remediation
7.7
relevance
8.1
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.