November 19, 2025. A security researcher discovered something terrifying.
Advanced Custom Fields: Extended—a plugin used on over 100,000 WordPress sites—had a critical vulnerability.
According to security research from Search Engine Journal, over 90% of hacked WordPress sites were running outdated software. This vulnerability affects over 100,000 active installations, making it one of the most widespread security threats in WordPress history. Our security audit service can help identify if your site is vulnerable.
Table of Contents
- Recent Developments
- What Is Advanced Custom Fields: Extended?
- The Vulnerability: CVE-2025-XXXX
- The Exploitation Timeline
- What Happens When You're Exploited?
- How to Check If You're Vulnerable
- How to Protect Yourself
- The Scale of the Threat
- Frequently Asked Questions
Recent Developments
- The vulnerability was publicly disclosed in November 2025 after being reported on November 18, 2025.
- The plugin developers released a patch in version 0.9.2 that removes the vulnerable code path, specifically the unsafe use of `call_user_func_array()` in the `prepare_form()` function.
- Security researchers and WordPress security firms quickly urged site administrators to update immediately to prevent exploitation.
- According to Google's security guidelines, sites with known vulnerabilities can be flagged in search results or removed entirely, which can devastate your organic traffic.
Not just any vulnerability. An unauthenticated remote code execution (RCE) flaw.
Translation: An attacker can execute any code they want on your server. They don't need to log in. They don't need special permissions. They just need to know your site uses ACF Extended.
Within 48 hours, Wordfence detected active exploitation attempts. The vulnerability was being weaponized.
What Is Advanced Custom Fields: Extended?
ACF Extended is a popular WordPress plugin that extends the functionality of Advanced Custom Fields (ACF). It adds features like:
- Enhanced field types
- Location rules
- Form builders
- Admin UI enhancements
It's used by developers, agencies, and businesses to create custom WordPress functionality without coding.
Over 100,000 active installations. That is 100,000 potential targets.
The Vulnerability: CVE-2025-XXXX
The vulnerability exists in how ACF Extended handles AJAX requests. It fails to properly validate and sanitize user input, allowing attackers to inject PHP code.
Technical Details
The flaw is in the plugin's AJAX handler. It accepts user input and passes it directly to PHP functions without proper validation:
// Vulnerable code pattern
$action = $_POST['action'];
$data = $_POST['data'];
// No validation - direct execution
call_user_func_array($action, $data);
An attacker can send a malicious request:
POST /wp-admin/admin-ajax.php
action: system
data: ["rm -rf /var/www/*"]
Your server executes the command. Your site is compromised.
The Exploitation Timeline
Here is how quickly this vulnerability was exploited:
- November 19, 2025: Vulnerability discovered and reported
- November 20, 2025: Wordfence detects first exploitation attempts
- November 21, 2025: Patch released (version 0.9.2)
- November 21, 2025: Active exploitation continues (many sites not yet updated)
From discovery to active exploitation: 24 hours. That is how fast modern attacks move.
The Matrix* Tie-in: The Vulnerability That Opened 100,000 Doors
In the Matrix*, a single vulnerability can open thousands of doors. One flaw. One exploit. One key that unlocks everything.
CVE-2025-XXXX is that key.
100,000 sites using ACF Extended. 100,000 potential targets. One vulnerability that works on all of them.
Hackers don't need to customize their attack for each site. They write one exploit. They scan for sites using ACF Extended. They send the exploit. They gain access.
One vulnerability. 100,000 doors. All unlocked.
What Happens When You're Exploited?
When an attacker successfully exploits this vulnerability, they gain complete control of your server:
- File system access: They can read, modify, or delete any file on your server
- Database access: They can steal, modify, or delete your database
- Backdoor installation: They can install persistent access that survives plugin updates
- Malware injection: They can inject malicious code into your site
- Server abuse: They can use your server to attack other sites or mine cryptocurrency
This is not a minor breach. This is complete server compromise. According to IBM's 2025 Cost of a Data Breach Report, the average cost of a small business data breach is $8,700. Plus, you'll lose revenue from downtime, damage to your reputation, and potential SEO penalties. Our security audit service can help identify if your site has been compromised.
How to Check If You're Vulnerable
Do you use Advanced Custom Fields: Extended?
- Log into WordPress admin
- Go to Plugins → Installed Plugins
- Look for "Advanced Custom Fields: Extended" or "ACF Extended"
- Check the version number
If your version is below 0.9.2, you are vulnerable. Update immediately.
How to Protect Yourself
1. Update Immediately
Update ACF Extended to version 0.9.2 or later. This is critical. Do not delay.
2. Check for Compromise
If you haven't updated since November 19, assume you might be compromised. Check for:
- Unknown admin users
- Modified files (especially in wp-content/plugins/acf-extended/)
- Suspicious files in your root directory
- Unknown database entries
- Unexpected server activity
3. Use Wordfence Firewall
Wordfence released firewall rules to block this exploit. If you have Wordfence installed and updated, you're protected even if you haven't updated the plugin yet.
4. Enable Automatic Updates
Don't wait 24 hours to update. Enable automatic updates for critical security plugins. Or use our maintenance service—we update security patches within hours of release. Our maintenance plans include automated updates with manual oversight, so you never have to worry about security patches.
5. Regular Security Audits
Don't wait for vulnerabilities to be discovered. Our security audit service performs comprehensive security checks to identify vulnerabilities before attackers exploit them. Regular audits help prevent breaches and protect your business.
The Scale of the Threat
Let's put 100,000 sites in perspective:
- If 10% are compromised: 10,000 hacked sites
- If each cleanup costs €500: €5 million in cleanup costs
- If each site loses 3 days of revenue: 30,000 days of downtime
This is not a small vulnerability. This is a mass casualty event waiting to happen.
Why This Vulnerability Is So Dangerous
This vulnerability is particularly dangerous for three reasons:
1. Unauthenticated
Most vulnerabilities require the attacker to be logged in. This one doesn't. Anyone can exploit it.
2. Remote Code Execution
RCE vulnerabilities are the most severe. They give attackers complete control. They're not limited to data theft—they can destroy everything.
3. High Install Base
100,000 installations means 100,000 potential targets. Hackers love high-value targets. This is a goldmine.
The Verdict
Advanced Custom Fields: Extended has a critical RCE vulnerability. Over 100,000 sites are at risk. Active exploitation has begun.
If you use ACF Extended and haven't updated to version 0.9.2+, your site is vulnerable. Right now. As you read this.
Update immediately. Check for compromise. Protect yourself.
Or let us handle it. We monitor for these vulnerabilities. We update within hours. We block the attacks. We keep you safe. Our maintenance plans include 24/7 security monitoring and automatic updates, so you never have to worry about vulnerabilities like this.
If you need help securing your site or want to learn more about our security practices, check out our security audit service or development team for help with security hardening.
100,000 doors. One key. Don't let hackers use it.
Frequently Asked Questions
What versions of ACF Extended are affected?
Versions 0.9.0.5 through 0.9.1.1 of ACF Extended are vulnerable. If you're running any version in this range, you need to update to version 0.9.2 or later immediately. The vulnerability was patched in version 0.9.2, which removes the unsafe code path that allowed remote code execution.
Is authentication required to exploit this vulnerability?
No, the RCE can be triggered by unauthenticated attackers. This makes it particularly dangerous because anyone can exploit it—they don't need to log in or have any special permissions. According to security research, unauthenticated vulnerabilities are exploited 3x faster than authenticated ones because they're easier to weaponize.
What damage can an attacker do if they exploit this vulnerability?
An attacker can achieve full site compromise, including creating admin users, uploading webshells, executing arbitrary PHP code, stealing data, modifying files, and using your server for malicious purposes. This is complete server compromise, not just a minor breach. Our security audit service can help identify if your site has been compromised.
How do I know if my site is vulnerable?
Check your plugin version in WordPress admin (Plugins → Installed Plugins). If ACF Extended is version 0.9.0.5 through 0.9.1.1, you're vulnerable. Also monitor for suspicious admin user creation, unexpected file modifications, or unusual server activity. If you're unsure, our security audit service can check for vulnerabilities and signs of compromise.
Has this vulnerability been exploited in the wild?
Yes, Wordfence detected active exploitation attempts within 48 hours of the vulnerability being disclosed. While widespread exploitation hasn't been confirmed publicly, the risk is extremely high due to the severity and ease of exploitation. Over 100,000 sites are potentially vulnerable, making this a high-value target for attackers.
How quickly should I update?
Immediately. This is a critical security vulnerability that's being actively exploited. Don't wait—update to version 0.9.2 or later right now. If you can't update immediately, at least enable Wordfence firewall rules that block this exploit. Our maintenance plans include automatic security updates, so we handle critical patches like this within hours of release.
What if I can't update right away?
If you can't update immediately, enable Wordfence firewall rules that block this exploit. However, this is only a temporary measure—you still need to update as soon as possible. If you're concerned about updates breaking your site, test the update on a staging site first, or use our maintenance service to handle updates safely.
How can I prevent future vulnerabilities like this?
Enable automatic updates for critical security plugins, use a security plugin like Wordfence, perform regular security audits, and keep all plugins and themes updated. Our maintenance plans include all of this—automated updates, security monitoring, and regular audits—so you don't have to worry about vulnerabilities.
