CVE-2026-8809: Advanced Custom Fields: Extended WordPress Plugin Privilege Escalation

CVE-2026-8809 is a critical privilege escalation vulnerability affecting the Advanced Custom Fields: Extended (ACFE) plugin for WordPress, specifically versions up to and including 0.9.2.5. The vulnerability stems from the after_validate_save_post() function’s unconditional trust in the attacker-controlled _acf_post_id POST parameter. This allows attackers to bypass validation checks, specifically those related to user role assignment in ACFE frontend forms. Successful exploitation requires a public ACFE frontend form configured with a “Create User” action that includes a mapped role field. By manipulating the _acf_post_id parameter, an unauthenticated attacker can suppress validation errors related to role allow-lists and administrator role capabilities, leading to the creation of a new administrator-level user account on the WordPress site. This vulnerability poses a significant threat to WordPress sites using the ACFE plugin.

Attack Chain

1. The attacker identifies a WordPress site using the Advanced Custom Fields: Extended plugin (version <= 0.9.2.5) with a publicly accessible ACFE frontend form configured with a “Create User” action that maps a role field.
2. The attacker crafts a malicious HTTP POST request to the form’s submission endpoint.
3. The POST request includes attacker-controlled user data, including the desired administrator role for the new user.
4. The attacker manipulates the _acf_post_id POST parameter to point to a controlled cleanup branch.
5. The after_validate_save_post() function processes the request and, due to the manipulated _acf_post_id, silently discards crucial validation errors, including role allow-list violations implemented by acfe_field_user_roles::validate_front_value() and administrator-role capability guard errors introduced by acfe_module_form_action_user::validate_action().
6. The wp_insert_user() function executes with the attacker-supplied administrator role argument, bypassing standard WordPress permission checks due to the suppressed validation errors.
7. A new user account with administrator privileges is created on the WordPress site.
8. The attacker logs in using the newly created administrator account, gaining full control over the WordPress site.

Impact

Successful exploitation of CVE-2026-8809 allows an unauthenticated attacker to create a new administrator-level user account on the affected WordPress site. This grants the attacker complete control over the website, enabling them to modify content, install malicious plugins, access sensitive data, and potentially compromise the underlying server. Given the wide usage of WordPress and the ACFE plugin, this vulnerability has the potential to impact numerous websites and organizations. A CVSS v3.1 base score of 9.8 indicates the critical severity of this vulnerability.

Recommendation

• Upgrade the Advanced Custom Fields: Extended plugin to a version greater than 0.9.2.5 to patch CVE-2026-8809.
• Monitor web server logs for suspicious POST requests to ACFE form submission endpoints containing unusual values or manipulation attempts in the _acf_post_id parameter (see example Sigma rule below).
• Implement strong input validation and sanitization on all user-supplied data in ACFE forms, particularly for user roles and capabilities.
• Review the configuration of all public ACFE frontend forms and ensure that user creation actions are properly secured and validated.
• Deploy the Sigma rule to detect the creation of new administrator accounts via wp_insert_user function.