Reliable Penguin has reviewed managed WordPress servers for a recently disclosed vulnerability in the Advanced Custom Fields: Extended WordPress plugin, also commonly referred to as ACF Extended or ACFE.
Wordfence published an advisory for a critical unauthenticated privilege escalation vulnerability in the Advanced Custom Fields: Extended WordPress plugin. The issue affects Advanced Custom Fields: Extended versions up to and including 0.9.2.5 and is patched in version 0.9.2.6. Wordfence assigned the vulnerability a CVSS score of 9.8, which is considered critical.
According to Wordfence, the vulnerability may allow an unauthenticated attacker to escalate privileges by abusing validation handling related to the _acf_post_id parameter. The advisory notes that exploitation depends on site configuration, specifically whether the site exposes a public ACFE frontend form configured with a Create User action that maps a role field.
Reliable Penguin used our internal RP Anvil system to review managed servers for WordPress installations using vulnerable Advanced Custom Fields: Extended plugin versions.
As part of this review, RP Anvil scanned managed systems for Advanced Custom Fields: Extended plugin installations and checked installed versions against the vulnerable range identified in the advisory.
At this time:
Managed servers have been reviewed.
Clients with potentially vulnerable WordPress installations have been notified directly.
No client action is required at this point for Reliable Penguin managed systems unless we have contacted you directly.
For Reliable Penguin managed systems, no action is required unless you have received a direct notification from us.
For WordPress sites not managed by Reliable Penguin, site owners should review their installations and update Advanced Custom Fields: Extended to version 0.9.2.6 or newer. Wordfence recommends updating as soon as possible due to the critical nature of this vulnerability.
Site owners should also review any public ACFE frontend forms, especially forms configured to create users or assign user roles.
If you have questions about this vulnerability or your managed WordPress environment, please contact Reliable Penguin support.