CVE-2025-13486

Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form

CVSS 9.8 CRITICALEPSS 73.6%CWE-94

Vexday Risk Score

85Fix now

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 73.6%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

02 Dec 2025Metasploit module available

03 Dec 2025Published on NVD

04 Dec 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

hwk-fr · Advanced Custom Fields: Extended

public PoCs found — 6

githubgithub.com/0xanis/CVE-2025-13486-POC★ 5 githubgithub.com/MataKucing-OFC/CVE-2025-13486★ 2 githubgithub.com/0xgh057r3c0n/CVE-2025-13486★ 2 githubgithub.com/whattheslime/CVE-2025-13486★ 1 githubgithub.com/0xnemian/CVE-2025-13486.-CVE-2025-13486★ 0 githubgithub.com/KrE80r/cve-2025-13486-vuln-setup★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/3400134/acf-extended https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve