100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin
We urge users to update their sites with the latest patched version of Advanced Custom Fields: Extended, version 0.9.2 at the time of this publication, as soon as possible.
On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.
Props to dudekmar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,290.00 for this discovery.
Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.
We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on November 20, 2025.
Sites using the free version of Wordfence will receive the same protection 30 days later on December 20, 2025.
We provided full disclosure details to the ACF Extended team instantly through our Wordfence Vulnerability Management Portal on November 20, 2025.
The vendor released the patch the next day, on November 21, 2025. We would like to commend the ACF Extended team for their prompt response and timely patch.
Wordfence
100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin
We urge users to update their sites with the latest patched version of Advanced Custom Fields: Extended, version 0.9.2 at the time of this publication, as soon as possible.
www.wordfence.com/blog/2025/12/100000-wordpress-si…
On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.
Props to dudekmar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,290.00 for this discovery.
Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.
We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on November 20, 2025.
Sites using the free version of Wordfence will receive the same protection 30 days later on December 20, 2025.
We provided full disclosure details to the ACF Extended team instantly through our Wordfence Vulnerability Management Portal on November 20, 2025.
The vendor released the patch the next day, on November 21, 2025. We would like to commend the ACF Extended team for their prompt response and timely patch.
#wordpress #wordpresssecurity #wordpresssecuritynews #cybersecurity #cybersecuritynews #wordfence #bugbounty
2 weeks ago | [YT] | 6