CVE-2026-4809: WordPress Advanced Custom Fields Extended Unauth Privilege Escalation

Vulnerability Overview Vulnerability Name: Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter CVE ID: CVE-2026-4809 CVSS Score: 9.8 (Critical) Published Date: May 28, 2026 Last Updated: May 28, 2026 Researcher: danoo Affected Software Software Type: Plugin Software Name: Advanced Custom Fields: Extended Affected Versions: <= 0.9.2.5 Fixed Version: 0.9.2.6 Remediation Fix Method: Update to version 0.9.2.6 or later fixed versions. Vulnerability Description This vulnerability exists in the Advanced Custom Fields: Extended plugin, allowing unauthenticated users to execute privilege escalation by bypassing validation. Specifically, the vulnerability resides in the function, which unconditionally trusts the attacker-controlled POST parameter without performing any authentication or integrity verification. This enables unauthenticated attackers to suppress role allow-list validation errors and execute with an admin role parameter provided by the attacker, thereby creating a new administrator-level user account. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information Software Source: view on wordpress.org Is Fixed: Yes Related Vulnerabilities Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution - CVE ID: CVE-2025-15463 - CVSS Score: 6.5 - Researcher: Kishan Vyse - Date: May 12, 2026 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action - CVE ID: CVE-2025-14533 - CVSS Score: 9.8 - Researcher: andrea bocchetti - Date: January 19, 2026 Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form - CVE ID: CVE-2025-13486 - CVSS Score: 9.8 - Researcher: Marcin Dudek (dudekmar) - Date: December 2, 2025 Advanced Custom Fields: Extended <= 0.8.9.3 - Authenticated [Contributor+] Stored Cross-Site Scripting via Shortcode - CVE ID: CVE-2023-5292 - CVSS Score: 6.4 - Researcher: István Márton - Date: September 29, 2023 Advanced Custom Fields: Extended <= 0.8.8.6 - Admin+ SQL Injection - CVE ID: CVE-2021-24865 - CVSS Score: 7.2 - Researcher: ZhongFu Su - Date: December 24, 2021 Copyright Information Copyright: © 2012-2026 Defiant Inc. License: Used under Defiant's licensing terms. Contact Contact Email: wfi-support@wordfence.com Additional Resources Wordfence Intelligence: Offers a free WordPress vulnerability database and commercial API access. Wordfence WordPress Plugin: Provides fully free access to and querying of the vulnerability database. Footer Information Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support, 365 days, 1-hour response time Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Instagram: Wordfence Subscribe Subscription Link: Sign Up Legal Disclaimer Terms of Service: Terms of Service Privacy Policy: Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information: Do Not Sell or Share My Personal Information Products and Support Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Subscribe to Updates Subscription Link: Sign Up Copyright Statement Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Additional Information Wordfence Intelligence: Offers a free WordPress vulnerability database and commercial API access. Wordfence WordPress Plugin: Provides fully free access to and querying of the vulnerability database. Footer Information Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support, 365 days, 1-hour response time Social Media Facebook: Wordfence Twitter: Wordfence LinkedIn: Wordfence Instagram: Wordfence Subscribe Subscription Link: Sign Up Legal Disclaimer Terms of Service: Terms of Service Privacy Policy: Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information: Do Not Sell or Share My Personal Information Products and Support Products: - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support: - Documentation - Learning Center - Free Support - Premium Support News: - Blog - In The News - Vulnerability Advisories About: - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE Request Form Subscribe to Updates Subscription Link: Sign Up Copyright Statement Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Additional Information Wordfence Intelligence: Offers a fre

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-4809: WordPress Advanced Custom Fields Extended Unauth Privilege Escalation

More from this source