CVE-2026-8809
Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can bypass ACFE frontend form validation by manipulating the _acf_post_id parameter, leading to admin user creation.
Vulnerability
The Advanced Custom Fields: Extended (ACFE) plugin for WordPress versions up to and including 0.9.2.5 contains a privilege escalation vulnerability in its form validation logic. The after_validate_save_post() function, located in includes/hooks.php [2], unconditionally trusts the attacker-controlled _acf_post_id POST parameter to select a code branch that discards all validation errors not prefixed with acfe:. This bypasses two key safeguards: the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action() [1]. The vulnerability requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field [3].
Exploitation
An unauthenticated attacker can exploit this by sending a crafted POST request to a publicly accessible ACFE frontend form that includes a Create User action. The attacker must supply a _acf_post_id parameter set to any value that triggers the cleanup branch (e.g., a non-zero value or a specific object ID that causes the function to discard non-acfe: errors). Additionally, the attacker must include a role field payload (e.g., field_... set to administrator) and any required user fields (email, username, password). The form submission then proceeds without the role validation errors surfacing, allowing wp_insert_user() to execute with the attacker-supplied administrator role argument [1][4].
Impact
Successful exploitation results in the creation of a new administrator-level user account on the WordPress site. The attacker gains full control over the target site, including the ability to read, modify, or delete any content, install plugins, modify themes, and execute arbitrary code via plugin/theme editing or file uploads. This is a critical privilege escalation vulnerability leading to complete site compromise (confidentiality, integrity, and availability impact).
Mitigation
The vendor has not released a patched version as of the publication date (2026-05-28). The fixed version is expected to be 0.9.2.6 or later. As a workaround, site administrators should disable any public ACFE frontend forms that create user accounts, or remove the Create User action from such forms until the patch is applied. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. The vulnerability affects all versions up to and including 0.9.2.5 [1][2][3][4].
- https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-action-user.php#L715
- https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/hooks.php#L636
- https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-front.php#L94
- https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/module-acf.php#L141
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.9.2.5
Patches
1r3551665Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/hooks.phpnvd
- plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/module-acf.phpnvd
- plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-action-user.phpnvd
- plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-front.phpnvd
- plugins.trac.wordpress.org/changeset/3551665/acf-extendednvd
- www.wordfence.com/threat-intel/vulnerabilities/id/bd332f49-5aa9-4207-89db-84692a6430e0nvd
News mentions
0No linked articles in our index yet.