CVE-2025-13486

This PoC exploits CVE-2025-13486, an RCE vulnerability in the Advanced Custom Fields: Extended WordPress plugin, by leveraging improper validation in the `acfe/form/render_form_ajax` AJAX action to execute arbitrary PHP functions. It includes both verification and exploitation modes, with the latter creating an administrator account.

This repository contains a Python-based proof-of-concept exploit for CVE-2025-13486, targeting the Advanced Custom Fields: Extended (ACFE) WordPress plugin. The exploit leverages improper function handling in the plugin's AJAX endpoint to achieve remote code execution and privilege escalation by creating an administrative user.

This PoC exploits CVE-2025-13486 in the ACFE plugin for WordPress, allowing unauthenticated admin user creation via a call_user_func_array vulnerability. It includes verification and exploitation modes, with support for bulk targeting.

The repository claims to provide a PoC for CVE-2025-13486 but lacks actual exploit code, instead directing users to external downloads. The README contains technical details but no functional code, raising suspicion of a social engineering lure.

This exploit targets CVE-2025-13486 in the ACF Extended WordPress plugin, allowing unauthenticated remote code execution and privilege escalation by creating an admin user via AJAX form manipulation.

This repository provides a Docker-based test environment for CVE-2025-13486, an unauthenticated RCE vulnerability in ACF Extended (0.9.0.5 - 0.9.1.1) via `call_user_func_array()`. It includes setup scripts and a test case demonstrating the exploit.

The repository contains only Docker and Docker Compose configuration files for setting up a WordPress environment but lacks any exploit code or technical details about CVE-2025-13486. It appears to be a placeholder or incomplete PoC.

This Metasploit module exploits an unauthenticated RCE vulnerability in the WordPress ACF Extended plugin (versions 0.9.0.5 to 0.9.1.1) via the prepare_form() function, which passes unsanitized user input to call_user_func_array(). It creates an admin user and uploads a malicious plugin for execution.