CVE-2026-8809

May 29, 2026, 2:40 a.m.

9.8
Critical

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Advanced Custom Fields Extended
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress advanced_custom_fields_extended / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/hooks.php#L636
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/module-acf.php#L141
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-action-user.php#L715
https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-front.php#L94
https://plugins.trac.wordpress.org/changeset/3551665/acf-extended
https://www.wordfence.com/threat-intel/vulnerabilities/id/bd332f49-5aa9-4207-89db-84692a6430e0?source=cve

Tags

[email protected]
CWE-269
2026-05-28
CVE-2026-8809

CVSS Score

9.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 28, 2026, 11:16 p.m.
Last Modified: May 29, 2026, 2:40 a.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.