/claim #14212

Summary

• Added CVE-2025-13486 - WordPress ACF Extended < 0.9.2 Unauthenticated RCE

Technical Details

This vulnerability affects Advanced Custom Fields: Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists due to unsafe use of call_user_func_array() in the prepare_form() function, allowing unauthenticated attackers to execute arbitrary PHP functions remotely.

Attack Flow:

1. Checks for ACF Extended plugin presence via homepage scan
2. Extracts AJAX nonce from page source
3. Sends POST to /wp-admin/admin-ajax.php with action=acfe/form/render_form_ajax
4. Exploits unsafe call_user_func_array() using print_r as a safe detection method
5. Confirms vulnerability via reflected random string in response

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-13486
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/acf-extended/advanced-custom-fields-extended-0911-unauthenticated-remote-code-execution
• https://patchstack.com/database/wordpress/plugin/acf-extended/vulnerability/wordpress-advanced-custom-fields-extended-plugin-0-9-0-5-0-9-1-1-unauthenticated-remote-code-execution-vulnerability

Template Validation

• Template follows nuclei template guidelines
• Uses safe detection method (print_r) instead of destructive commands
• Includes proper metadata and classification

Test Plan

• Validate with vulnerable ACF Extended 0.9.1.1 installation
• Validate with patched ACF Extended 0.9.2+ installation (false positive check)