Vulnerability in Popular WordPress Plugin Puts 100,000 Sites at Risk
The Advanced Custom Fields: Extended WordPress plugin, used by over 100,000 websites, has a critical vulnerability that allows unauthenticated attackers to register as administrators, giving them full control over the site. This flaw, rated 9.8 out of 10, can be exploited by anyone on the internet, making it a significant threat to website owners.
What is the Advanced Custom Fields: Extended Plugin?
The Advanced Custom Fields: Extended plugin is an add-on to the popular Advanced Custom Fields Pro plugin. It allows site owners and developers to extend the functionality of custom fields, manage front-end forms, create options pages, define custom post types and taxonomies, and customize the WordPress admin experience. The plugin is widely used on sites that rely on front-end forms and advanced content management workflows.
Who Can Exploit This Vulnerability?
This vulnerability can be exploited by unauthenticated attackers, meaning that anyone on the internet can attempt to exploit the flaw without needing to have a user account or any prior access to the site. This significantly increases the risk, as it removes the need for compromised credentials or insider access.
Privilege Escalation Exposure
The vulnerability is a privilege escalation flaw caused by missing role restrictions during user registration. Specifically, the plugin’s insert_user function does not limit which user roles can be assigned when a new user account is created. Under normal circumstances, WordPress should strictly control which roles users can select or be assigned during registration. However, because this check is missing, an attacker can submit a registration request that explicitly assigns the administrator role to the new account.
How the Vulnerability Works
The flaw appears to be due to insufficient server-side validation of the form field "Choices." The plugin relies on the HTML form to restrict which roles a user could select, but there is no verification on the backend to check if the user role matches the allowed options. An attacker can intercept the HTTP request and change the value to role=administrator, which the plugin will accept without checking if it is a valid option.
Patches and Fixes
The plugin’s changelog lists the following entries as patches to the plugin:
- "Enforced front-end fields validation against their respective ‘Choices’ settings."
- "Module: Forms – Added security measure for forms allowing user role selection"
These patches add stronger validation controls for front-end forms and make them more configurable.
What Attackers Can Gain
If successfully exploited, the attacker gains administrator-level access to the WordPress site, allowing them to:
- Install or modify plugins and themes
- Inject malicious code
- Create backdoor administrator accounts
- Steal or manipulate site data
- Redirect visitors or distribute malware
Gaining administrator access is a full site takeover.
Conditions Required for Exploitation
The vulnerability is not automatically exploitable on every site running the plugin. Exploitation requires that:
- The site uses a front-end form provided by the plugin
- The form maps a custom field directly to the WordPress user role
Patch Status and What Site Owners Should Do
The vulnerability affects all versions up to and including 0.9.2.1. The issue is addressed in version 0.9.2.2, which introduces additional validation and security checks around front-end forms and user role handling. Site owners using this plugin should update immediately to the latest patched version. If updating is not possible, the plugin should be disabled until the fix can be applied.
Conclusion
The vulnerability in the Advanced Custom Fields: Extended plugin is a significant threat to website owners, as it allows unauthenticated attackers to gain administrator-level access to the site. Site owners should update the plugin to the latest version as soon as possible to prevent exploitation. Delaying action leaves affected sites exposed to a complete takeover, which can result in significant damage to the site and its users.