Advanced Custom Fields Extended Plugin Unauth RCE Risk
Category:Threat Alerts
The Advanced Custom Fields: Extended plugin for WordPress contains an unauthenticated remote code execution vulnerability in versions 0.9.0.5 through 0.9.1.1. The flaw maps to MITRE ATT&CK techniques T1190 and T1203. User input is passed to call_user_func_array without validation, enabling attackers to invoke arbitrary PHP functions, deploy webshells, or create admin accounts. Over 100,000 sites are affected. Wordfence validated the issue on November 20, and the vendor released patch 0.9.2 on November 21. WAF protections are staggered, leaving a window where many sites remain exposed to automated mass attacks. Business risks include full site compromise, data theft, SEO poisoning, and regulatory liability where customer information is processed. Mitigation requires immediate plugin updates, auditing for malicious admin accounts or backdoors, enabling WAF rules, and adopting structured plugin update processes.
CORTEX Protocol Intelligence Assessment
Business Impact: Attackers can take full control of WordPress sites, risking brand damage, data leakage, and malware distribution. Technical Context: The vulnerability arises from unvalidated dynamic function calls, allowing arbitrary PHP execution in public-facing WordPress environments.
Strategic Intelligence Guidance
- Upgrade ACF Extended to version 0.9.2 or later.
- Audit sites for unauthorized admin accounts or modified files.
- Enable WAF protections to block exploit attempts.
- Implement plugin lifecycle monitoring in vulnerability workflows.
Vendors
Threats
Targets
Intelligence Source: Advanced Custom Fields Extended Plugin Unauth RCE Risk | Dec 3, 2025