A critical (CVSS 9.8) validation-bypass flaw in the Advanced Custom Fields: Extended WordPress plugin lets unauthenticated attackers create new administrator accounts on vulnerable sites that expose a public ACFE frontend form with a Create User action.
What Is It
CVE-2026-8809 is a privilege-escalation vulnerability (CWE-269) in the Advanced Custom Fields: Extended (ACFE) plugin for WordPress, affecting all versions up to and including 0.9.2.5. The plugin's after_validate_save_post() function unconditionally trusts the attacker-controlled _acf_post_id POST parameter, with no authentication or integrity verification, to select a cleanup branch that silently discards every validation error not prefixed with acfe:. By steering that branch, an attacker suppresses both the role allow-list error raised by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error raised by acfe_module_form_action_user::validate_action(). With those guards stripped, wp_insert_user() runs with an attacker-supplied administrator role argument, minting a new admin account.
Why It Matters
The bug is network-reachable, requires no authentication, no user interaction, and is low-complexity to exploit; hence the 9.8 CRITICAL CVSS score with HIGH confidentiality, integrity, and availability impact. Successful exploitation hands an unauthenticated attacker a full administrator account on the target WordPress site, which is effectively a full site compromise: arbitrary plugin/theme upload, content tampering, credential theft, and persistence are all downstream. ACF Extended is a widely deployed plugin in the ACF ecosystem, which broadens the blast radius wherever frontend forms are in use.
What's Vulnerable
- Plugin: Advanced Custom Fields: Extended (ACFE) for WordPress
- Affected versions: all releases up to and including 0.9.2.5
- Exploitation precondition: the target site must expose a public ACFE frontend form configured with a Create User action that maps a role field. Sites without such a public form are not exploitable via this path.
- CISA KEV: no entry supplied for this CVE; active exploitation is not confirmed in the provided source material.
Patch Status
Wordfence references a fix in the plugin's source tree at changeset 3551665, indicating the issue is addressed in a release after 0.9.2.5. Administrators of ACFE-equipped WordPress sites should update the plugin to the latest available version immediately, and in the interim audit any public-facing forms that include a Create User action mapping a role field. Review administrator account lists for unexpected entries.