Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-8809: WordPress Advanced Custom Fields: Extended plugin creates admin user accounts

CVE-2026-8809

Summary

The Advanced Custom Fields: Extended plugin for WordPress has a security flaw that allows anyone to create a new administrator-level user account on your website without needing a password. This can happen if your website has a public form that allows users to create new accounts. To fix this, update the plugin to the latest version or remove the public form to prevent unauthorized access.

Original title

Original description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.

nvd CVSS3.1 9.8

Vulnerability type

CWE-269 Improper Privilege Management

Published: 28 May 2026 · Updated: 30 May 2026 · First seen: 29 May 2026