CVE-2026-8809— Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| hwk-fr | Advanced Custom Fields: Extended | ≤ 0.9.2.5 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8809
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| hwk-fr | Advanced Custom Fields: Extended | 0 ~ 0.9.2.5 | - |
II. Public POCs for CVE-2026-8809
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8809
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-8809 (3)
Vendor Advisories for CVE-2026-8809 (1)
Other References for CVE-2026-8809 (1)
IV. Related Vulnerabilities
Same product: Advanced Custom Fields: Extended
- CVE-2025-15463
Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticate - CVE-2025-14533
Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticate - CVE-2025-13486
Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthe - CVE-2023-5292
Advanced Custom Fields: Extended <= 0.8.9.3 - Authenticated - CVE-2021-24865
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Inje
Same vendor: hwk-fr
- CVE-2025-15463
Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticate - CVE-2025-12037
WP 404 Auto Redirect <= 1.0.5 - Authenticated (Admin+) Store - CVE-2025-14533
Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticate - CVE-2025-13486
Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthe - CVE-2024-32559
WordPress WP 404 Auto Redirect to Similar Post plugin <= 1.0
Same weakness: CWE-269
- CVE-2026-47744
Shopper: Authorization bypass and RBAC privilege escalation - CVE-2026-45043
RustFS: ImportIam Allows Creation of Backdoor Service Accoun - CVE-2026-44543
Local Path Provisioner: HelperPod Template Injection - CVE-2026-8980
Privilege Escalation - CVE-2026-6226
Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Pri
V. Comments for CVE-2026-8809
No comments yet