Cyber Posture

CVE-2025-14533

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes…

more

it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match
prevent

AC-2 requires management of user account creation and privilege assignments, directly preventing unrestricted role specification like 'administrator' during registration in the insert_user function.

AC-6 Least Privilege good match
prevent

AC-6 enforces least privilege by restricting user roles to only those necessary, countering the vulnerability's improper privilege management that allows escalation to administrator.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of inputs such as the 'role' parameter during user registration, blocking unauthorized administrator role assignments by unauthenticated attackers.

Security SummaryAI

CVE-2025-14533 is a privilege escalation vulnerability affecting the Advanced Custom Fields: Extended plugin for WordPress in all versions up to and including 0.9.2.1. The issue stems from the 'insert_user' function, which fails to restrict the user roles that can be assigned during registration. This allows attackers to specify the 'administrator' role, potentially granting full site control. Exploitation requires that the 'role' field be mapped to a custom field in the plugin configuration.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction, as indicated by its CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-269 (Improper Privilege Management). By supplying the 'administrator' role during user registration, they can gain complete administrative access to the WordPress site, enabling actions such as data exfiltration, modification, or deletion.

References point to code changes in version 0.9.2.2 of the plugin, including updates to field-user-roles.php at line 437 and module-form-action-user.php at line 356, which address the role restriction flaw originally present in 0.9.2.1 at module-form-action-user.php line 636. The Wordfence threat intelligence advisory provides further details on the vulnerability, recommending updates to patched versions for mitigation.

Details

CWE(s)
CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated privilege escalation in a public-facing WordPress plugin, allowing remote exploitation to create an administrator account (T1190: Exploit Public-Facing Application; T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References