Advanced Custom Fields: Extended — commonly called ACF Extended or ACFE — is installed on over 100,000 WordPress sites. Agencies and developers use it to build sophisticated custom field groups, front-end forms, and content models that go well beyond what standard ACF supports. In December 2025, a Remote Code Execution vulnerability was disclosed that required no authentication — any attacker on the internet could execute arbitrary PHP on affected installations.
How the Vulnerability Works
CVE-2025-13486 lives in the prepare_form() function, which routes attacker-controlled input directly into PHP’s call_user_func_array() without validation. No authentication required. An attacker sends a crafted HTTP request and the server executes their code. CVSS score: 9.8 — Critical. Affected versions: 0.9.0.5 through 0.9.1.1. The patch landed in version 0.9.2.
What Unauthenticated RCE Gets an Attacker
Remote code execution means the attacker runs code on your web server. With unauthenticated RCE, they don’t need an account, a password, or a foothold — they send a request and the server executes it. From there, the options include creating hidden admin accounts, dropping web shells for persistent re-entry, reading wp-config.php and any API keys in the codebase, or modifying plugin and theme files to inject malicious behavior.
CVSS 9.8 vulnerabilities attract automated scanners within hours of public disclosure. The bots aren’t targeting specific sites — they sweep IP ranges checking plugin version headers against known CVEs. A small regional business on shared hosting gets the same automated probes as a high-traffic e-commerce store. Any site running an unpatched version of ACF Extended shows up as a hit.
The Gap Between Patch and Deployment
ACF Extended 0.9.2 was released promptly after the CVE disclosure. But many agencies managing client sites intentionally disable auto-updates — for good reason. A major plugin update that breaks a client’s checkout during peak trading is its own kind of crisis. So updates get scheduled manually, weeks pass, and the gap between “a patch exists” and “the patch is applied” stays open.
ACF Extended isn’t a plugin that gets discussed constantly in WordPress security circles — it’s a developer tool that mostly just works. That makes it easy to overlook when mentally prioritizing what needs updating this week. Sites that were running affected versions in December 2025 and January 2026 should treat them as potentially compromised: look for unexpected admin accounts in the Users list, check for modified theme or plugin files, and rotate any credentials stored in wp-config.php or custom options fields.
Check Your Version Now
If ACF Extended is installed on any site you manage, check the version number. Version 0.9.2 and above are not affected. Anything below that should be updated immediately — and if the site ran an affected version for any period after December 3, 2025, a post-update audit is warranted.
For agencies managing multiple client sites, the challenge isn’t knowing what to do once a CVE is published — it’s knowing which sites are affected in the first place. Trusti Security’s vulnerability scanner surfaces that information automatically: when CVE-2025-13486 was added to the vulnerability database, any site with a flagged version would appear in the dashboard with an alert via email, Slack, or Telegram, depending on how notifications are configured.