CVE-2026-8809

🟠 Łataj w tym tygodniu

Błąd w wtyczce Advanced Custom Fields: Extended pozwala na eskalację uprawnień do administratora.

CVSS
9.8
EPSS
0.2%
Exploit
none
Vendor
Opis źródłowy (NVD)

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.

privilege-escalation Brak patcha
Źródła i daty
ŹródłoWartość
NVD – CVSS9.8
CISA KEV (aktywnie wykorzystywane)Nie
FIRST EPSS (prawdopodobieństwo exploita)0.2%
Opublikowano (NVD)2026-05-28 23:16:44 UTC
Ostatnia modyfikacja (NVD)2026-05-29 02:40:08 UTC
Referencje