Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Sat, 30 May 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hwk-fr
Hwk-fr advanced Custom Fields Wordpress Wordpress wordpress |
|
| Vendors & Products |
Hwk-fr
Hwk-fr advanced Custom Fields Wordpress Wordpress wordpress |
Fri, 29 May 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 28 May 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field. | |
| Title | Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter | |
| Weaknesses | CWE-269 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-29T10:08:09.995Z
Reserved: 2026-05-18T06:34:31.899Z
Link: CVE-2026-8809
Updated: 2026-05-29T10:08:04.774Z
Status : Deferred
Published: 2026-05-28T23:16:44.760
Modified: 2026-05-29T02:40:08.093
Link: CVE-2026-8809
No data.
OpenCVE Enrichment
Updated: 2026-05-30T21:00:12Z