CVE-2026-8809 CRITICAL

CVE-2026-8809: Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter

Vendor Hwk-Fr
Product Advanced Custom Fields: Extended
Weakness CWE-269
Published May 28, 2026
Last update May 29, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Custom Fields: Extended versions up to 0.9.2.5 contain a privilege management flaw that allows unauthenticated attackers to read, modify, or delete site data without restriction. The vulnerability requires no user interaction and is exploitable over the network. All sites running affected versions are at immediate risk of complete data compromise.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete any site data without authentication.

Potential impact on your site

04Site Impact

Complete compromise of site data, including user accounts, posts, and configuration.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated