Advanced Custom Fields: Extended <0.9.1.1 - RCE
Title source: llmExploitation Summary
CVE-2025-13486 has been observed exploited in the wild (reported by VulnCheck KEV).
EIP tracks 9 public exploits from researchers including 0xanis, 0xgh057r3c0n, MataKucing-OFC, including a Metasploit module exploits/multi/http/wp_acf_extended_rce.
A Nuclei detection template is also available.
AI-analyzed exploit summary This PoC exploits CVE-2025-13486, an RCE vulnerability in the Advanced Custom Fields: Extended WordPress plugin, by leveraging improper validation in the `acfe/form/render_form_ajax` AJAX action to execute arbitrary PHP functions. It includes both verification and exploitation modes, with the latter creating an administrator account.
Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.
Exploits (9)
This PoC exploits CVE-2025-13486, an RCE vulnerability in the Advanced Custom Fields: Extended WordPress plugin, by leveraging improper validation in the `acfe/form/render_form_ajax` AJAX action to execute arbitrary PHP functions. It includes both verification and exploitation modes, with the latter creating an administrator account.
This repository contains a Python-based proof-of-concept exploit for CVE-2025-13486, targeting the Advanced Custom Fields: Extended (ACFE) WordPress plugin. The exploit leverages improper function handling in the plugin's AJAX endpoint to achieve remote code execution and privilege escalation by creating an administrative user.
This PoC exploits CVE-2025-13486 in the ACFE plugin for WordPress, allowing unauthenticated admin user creation via a call_user_func_array vulnerability. It includes verification and exploitation modes, with support for bulk targeting.
The repository claims to provide a PoC for CVE-2025-13486 but lacks actual exploit code, instead directing users to external downloads. The README contains technical details but no functional code, raising suspicion of a social engineering lure.
This repository contains a functional Python exploit for CVE-2025-13486, targeting the Advanced Custom Fields: Extended WordPress plugin. The exploit automates the creation of an administrator account via unauthenticated remote code execution by leveraging a vulnerable AJAX endpoint.
This exploit targets CVE-2025-13486 in the ACF Extended WordPress plugin, allowing unauthenticated remote code execution and privilege escalation by creating an admin user via AJAX form manipulation.
This repository provides a Docker-based test environment for CVE-2025-13486, an unauthenticated RCE vulnerability in ACF Extended (0.9.0.5 - 0.9.1.1) via `call_user_func_array()`. It includes setup scripts and a test case demonstrating the exploit.
The repository contains only Docker and Docker Compose configuration files for setting up a WordPress environment but lacks any exploit code or technical details about CVE-2025-13486. It appears to be a placeholder or incomplete PoC.
This Metasploit module exploits an unauthenticated RCE vulnerability in the WordPress ACF Extended plugin (versions 0.9.0.5 to 0.9.1.1) via the prepare_form() function, which passes unsanitized user input to call_user_func_array(). It creates an admin user and uploads a malicious plugin for execution.
Nuclei Templates (1)
http.component:"WordPress"
body="wp-content/plugins/acf-extended"
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H