Added CVE-2025-13486 Template | Algora

PR

Added CVE-2025-13486 Template

projectdiscovery/nuclei-templates#14214

/claim #14212

PR Information

Added CVE-2025-13486 - WordPress ACF Extended < 0.9.1.2 Unauthenticated RCE
References:

Template validation

Validated with a host running a vulnerable version and/or configuration (True Positive)
Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Attack Flow:

Checks for ACF Extended plugin presence
Sends malicious POST to admin-ajax.php with action=acfe_prepare_form
Exploits unsafe call_user_func_array() in prepare_form() function
Confirms RCE via DNS callback (interactsh)

Additional References:

Claim

Total prize pool $100

Total paid $0

Status Pending

Submitted December 04, 2025

Last updated December 04, 2025

Contributors

DA

Darshan

@Darshannaikk

100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$100