PatchSiren cyber security CVE debrief
CVE-2026-8809 hwk-fr CVE debrief
CVE-2026-8809 is a critical privilege escalation vulnerability in the Advanced Custom Fields: Extended (ACFE) WordPress plugin, affecting all versions up to and including 0.9.2.5. The vulnerability stems from improper validation in the `after_validate_save_post()` function, which unconditionally trusts the attacker-controlled `_acf_post_id` POST parameter without authentication or integrity verification. This trust allows attackers to select a cleanup branch that silently discards validation errors not prefixed with `acfe:`, effectively suppressing security checks including role allow-list validation and administrator-role capability guards. The result is unauthenticated creation of administrator-level user accounts when a public ACFE frontend form is configured with a Create User action that maps a role field. The vulnerability was disclosed on 2026-05-28 with a CVSS 3.1 score of 9.8 (Critical). A patch is available in changeset 3551665.
- Vendor
- hwk-fr
- Product
- Advanced Custom Fields: Extended
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
WordPress site administrators using Advanced Custom Fields: Extended plugin; security teams managing WordPress installations; web application firewall operators; managed WordPress hosting providers
Technical summary
The vulnerability exists in the `after_validate_save_post()` function which processes the `_acf_post_id` POST parameter without authentication checks or integrity verification. When this parameter is manipulated, the function selects a cleanup branch that filters out validation errors lacking the `acfe:` prefix. This bypasses two critical security controls: (1) the role allow-list validation in `acfe_field_user_roles::validate_front_value()` and (2) the administrator-role capability guard in `acfe_module_form_action_user::validate_action()`. With these validations suppressed, `wp_insert_user()` executes using attacker-supplied role parameters, enabling unauthenticated creation of administrator accounts. Exploitation requires a publicly accessible ACFE frontend form configured with a Create User action that includes role field mapping. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects network attack vector, low complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.
Defensive priority
critical
Recommended defensive actions
- Immediately update Advanced Custom Fields: Extended plugin to version 0.9.2.6 or later
- Audit all ACFE frontend forms for Create User actions with role field mappings and verify they are not publicly accessible until patched
- Review WordPress user accounts for unauthorized administrator-level accounts created since plugin installation
- Implement Web Application Firewall rules to block suspicious POST requests to ACFE form endpoints containing manipulated _acf_post_id parameters
- Disable public ACFE frontend forms with Create User actions if patching is not immediately feasible
- Monitor WordPress audit logs for unexpected user creation events with administrator privileges
Evidence notes
Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. The `after_validate_save_post()` function at hooks.php#L636 processes the `_acf_post_id` parameter without verification. Validation errors from `acfe_field_user_roles::validate_front_value()` and `acfe_module_form_action_user::validate_action()` are suppressed when the cleanup branch is triggered. The `wp_insert_user()` function executes with attacker-controlled role parameters. Patch available in changeset 3551665.
Official resources
2026-05-28