WordPress ACF Extended Unauthenticated RCE via prepare_form()

This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the acfemoduleformfrontrender class, which accepts...

CVE-2025-13486

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

CVE-2025-13486

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

EUVD-2025-200730

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

CVE-2025-13486 Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

CVE-2025-13486 Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

CVE-2025-13486

The CVE-2025-13486 vulnerability affects the Advanced Custom Fields: Extended (ACFE) WordPress plugin, versions 0.9.0.5–0.9.1.1. It arises from the prepare_form() function, where user-supplied data is forwarded to call_user_func_array() without proper validation, enabling unauthenticated remote c...

PT-2025-48795

Advanced Custom Fields: Extended and Affected Versions Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1 Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows for Remote Code Execution RCE. This is due to the prepare form function accepting...

VulnCheck KEV: CVE-2025-13486

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...