CVE-2025-13486 — AI Deep Analysis Summary

🚨 **Essence**: A critical Code Injection flaw in the 'Advanced Custom Fields Extended' plugin. 💥 **Consequences**: Attackers can execute arbitrary code, leading to full server compromise, data theft, and site defacement.

🛡️ **Root Cause**: CWE-94 (Code Injection). The `prepare_form` function accepts unsanitized user input and passes it directly to `call_user_func_array`, allowing malicious payload execution.

📦 **Affected**: WordPress Plugin 'Advanced Custom Fields: Extended' by vendor 'hwk-fr'. 📅 **Versions**: 0.9.0.5 through 0.9.1.1 are vulnerable.

💀 **Impact**: High! CVSS Score is Critical (9.8). Hackers gain Remote Code Execution (RCE). They can steal sensitive data, modify site content, and take over the entire WordPress installation.

⚡ **Threshold**: LOW. CVSS Vector shows AV:N (Network), AC:L (Low Complexity), PR:N (No Privileges Required), UI:N (No User Interaction). Exploitation is easy and remote.

🔓 **Exploitation**: YES. Multiple public PoCs and Docker test environments are available on GitHub (e.g., by 0xnemian, 0xanis, KrE80r). Wild exploitation risk is high.

🔍 **Self-Check**: Scan your WordPress plugins for 'Advanced Custom Fields: Extended'. Check the version number. If it is between 0.9.0.5 and 0.9.1.1, you are vulnerable.

🩹 **Fix**: YES. The vendor released a fix in changeset 3400134. Update the plugin immediately to the latest patched version to resolve the issue.

🚧 **No Patch?**: Disable the plugin immediately if you cannot update. Remove it from the server if not essential. Monitor logs for suspicious `call_user_func` activity.

🔥 **Urgency**: CRITICAL. With public exploits and a CVSS of 9.8, patch immediately. Do not wait. This is a high-priority security emergency.