← back
CVE-2025-13486

Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form

CVSS 9.8 CRITICALEPSS 73.6%CWE-94
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
hwk-fr · Advanced Custom Fields: Extended
public PoCs found6
githubgithub.com/0xanis/CVE-2025-13486-POC5githubgithub.com/MataKucing-OFC/CVE-2025-134862githubgithub.com/0xgh057r3c0n/CVE-2025-134862githubgithub.com/whattheslime/CVE-2025-134861githubgithub.com/0xnemian/CVE-2025-13486.-CVE-2025-134860githubgithub.com/KrE80r/cve-2025-13486-vuln-setup0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://plugins.trac.wordpress.org/changeset/3400134/acf-extendedhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve