CVE-2025-13486 – Advanced Custom Fields: Extended 0.9.0.5 – 0.9.1.1 – Unauthenticated Remote Code Execution in prepare_form

CVE ID : CVE-2025-13486

Published : Dec. 3, 2025, 7:16 a.m. | 1 hour, 10 minutes ago

Description : The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-13946 – Loop with Unreachable Exit Condition (‘Infinite Loop’) in Wireshark

CVE-2025-13945 – Improperly Controlled Sequential Memory Allocation in Wireshark

CVE-2025-12954 – Timetable and Event Schedule by MotoPress < 2.4.16 – Contributor+ Event Disclosure via IDOR

CVE-2025-10304 – Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin