50,000 WordPress site affected in major plugin security flaw - here's how to stay safe

News
By published

A popular WordPress plugin has a worrying flaw

WordPress logo on mobile
(Image credit: Shutterstock)
  • Critical bug in ACF: Extended WordPress plugin allows arbitrary role escalation to administrator
  • About 50,000 WordPress sites are vulnerable despite patch in version 0.9.2.2
  • No exploitation reported yet, but attackers likely to probe exposed sites soon

Around 50,000 WordPress websites are currently at risk of full site takeover, due to a critical-severity vulnerability that was recently discovered in a popular plugin.

In mid-December 2025, Wordfence was notified by security researcher Andrea Bocchetti of a vulnerability in Advanced Custom Fields: Extended, a plugin which adds more features to the Advanced Custom Fields (ACF) plugin.

ACF also lets users add custom fields to posts and pages, and it is currently being actively used by around 100,000 WordPress websites.

How to stay safe

Bocchetti said that the bug stems from role restrictions not being enforced properly during form-based user creation, or updates.

"In the vulnerable version, there are no restrictions for form fields, so the user's role can be set arbitrarily, even to 'administrator', regardless of the field settings, if there is a role field added to the form," Wordfence explained in its advisory.

"As with any privilege escalation vulnerability, this can be used for complete site compromise.”

In other words, any unauthenticated user can set themselves as admins for a WordPress site, essentially taking over the site.

The vulnerability was discovered in versions 0.9.2.1 and earlier and is now being tracked as CVE-2025-14533. It was given a severity score of 9.8/10 (critical).

The silver lining is that it cannot be exploited easily. The sites need to use a ‘Create User’ or ‘Update User’ form with a role field mapped.

The bug was remedied in version 0.9.2.2. According to WordPress’ official stats, approximately 50,000 websites have already updated to the newest version, leaving roughly the same number of those that are still vulnerable.

At press time, there was no evidence of the flaw being abused in the wild, but now that the news is out there, it is safe to assume that cybercriminals will start at least probing for vulnerabilities.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.