{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/advanced-custom-fields-extended-plugin--0.9.2.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-8809"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Advanced Custom Fields: Extended plugin \u003c= 0.9.2.5"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","acf","acfe","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-8809 is a critical privilege escalation vulnerability affecting the Advanced Custom Fields: Extended (ACFE) plugin for WordPress, specifically versions up to and including 0.9.2.5. The vulnerability stems from the \u003ccode\u003eafter_validate_save_post()\u003c/code\u003e function\u0026rsquo;s unconditional trust in the attacker-controlled \u003ccode\u003e_acf_post_id\u003c/code\u003e POST parameter. This allows attackers to bypass validation checks, specifically those related to user role assignment in ACFE frontend forms. Successful exploitation requires a public ACFE frontend form configured with a \u0026ldquo;Create User\u0026rdquo; action that includes a mapped role field. By manipulating the \u003ccode\u003e_acf_post_id\u003c/code\u003e parameter, an unauthenticated attacker can suppress validation errors related to role allow-lists and administrator role capabilities, leading to the creation of a new administrator-level user account on the WordPress site. This vulnerability poses a significant threat to WordPress sites using the ACFE plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using the Advanced Custom Fields: Extended plugin (version \u0026lt;= 0.9.2.5) with a publicly accessible ACFE frontend form configured with a \u0026ldquo;Create User\u0026rdquo; action that maps a role field.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the form\u0026rsquo;s submission endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes attacker-controlled user data, including the desired administrator role for the new user.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003e_acf_post_id\u003c/code\u003e POST parameter to point to a controlled cleanup branch.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eafter_validate_save_post()\u003c/code\u003e function processes the request and, due to the manipulated \u003ccode\u003e_acf_post_id\u003c/code\u003e, silently discards crucial validation errors, including role allow-list violations implemented by \u003ccode\u003eacfe_field_user_roles::validate_front_value()\u003c/code\u003e and administrator-role capability guard errors introduced by \u003ccode\u003eacfe_module_form_action_user::validate_action()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewp_insert_user()\u003c/code\u003e function executes with the attacker-supplied administrator role argument, bypassing standard WordPress permission checks due to the suppressed validation errors.\u003c/li\u003e\n\u003cli\u003eA new user account with administrator privileges is created on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in using the newly created administrator account, gaining full control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8809 allows an unauthenticated attacker to create a new administrator-level user account on the affected WordPress site. This grants the attacker complete control over the website, enabling them to modify content, install malicious plugins, access sensitive data, and potentially compromise the underlying server. Given the wide usage of WordPress and the ACFE plugin, this vulnerability has the potential to impact numerous websites and organizations. A CVSS v3.1 base score of 9.8 indicates the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Advanced Custom Fields: Extended plugin to a version greater than 0.9.2.5 to patch CVE-2026-8809.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to ACFE form submission endpoints containing unusual values or manipulation attempts in the \u003ccode\u003e_acf_post_id\u003c/code\u003e parameter (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization on all user-supplied data in ACFE forms, particularly for user roles and capabilities.\u003c/li\u003e\n\u003cli\u003eReview the configuration of all public ACFE frontend forms and ensure that user creation actions are properly secured and validated.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the creation of new administrator accounts via wp_insert_user function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T23:17:47Z","date_published":"2026-05-28T23:17:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8809-wordpress-privesc/","summary":"The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation (CVE-2026-8809), allowing an unauthenticated attacker to create an administrator-level user by bypassing validation in versions up to 0.9.2.5 if a specific form is exposed.","title":"CVE-2026-8809: Advanced Custom Fields: Extended WordPress Plugin Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8809-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Advanced Custom Fields: Extended Plugin \u003c= 0.9.2.5","version":"https://jsonfeed.org/version/1.1"}