CVE-2025-13486 – Advanced Custom Fields: Extended 0.9.0.5 – 0.9.1.1 – Unauthenticated Remote Code Execution in prepare_form

CVE ID : CVE-2025-13486

Published : Dec. 3, 2025, 7:16 a.m. | 1 hour, 10 minutes ago

Description : The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…