Exploit for CVE-2026-8809

Name: Exploit for CVE-2026-8809
Rating: 5 (4 reviews)
2026-06-12 | CVSS 9.8
## https://sploitus.com/exploit?id=8A02EE6F-39EF-56A6-B360-BF2E4D44DF48
# CVE-2026-8809
Advanced Custom Fields: Extended &lt;= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
This critical security vulnerability (CVSS 9.8) affects all versions of the popular WordPress plugin Advanced Custom Fields: Extended (ACF Extended) from version 0.9.2.5 onwards.

Although fixed in version 0.9.2.6, the vulnerability works as follows:

**Problematic Function:** At the root of the vulnerability lies the unchecked trust that the after_validate_save_post() function applies to the POST parameter named _acf_post_id. The plugin does not subject this parameter to any validation or authentication process.

**Validation Bypass:** By manipulating the _acf_post_id parameter, the attacker causes the function to silently select a cleanup branch that ignores all validation errors that do not carry the "acfe:" prefix. This disables two critical security checks:

a role permission list validation error added by acfe_field_user_roles::validate_front_value().

**Administrator privilege protection error added by `acfe_module_form_action_user::validate_action()`.

Unauthorized Administrator Creation: After these checks are bypassed, the `wp_insert_user()` function is executed with the "administrator" role argument provided by the attacker. As a result, a new administrator account is created on the system by an unauthenticated user, contrary to the intended purpose of the plugin.

Logical Flow of Exploit Code
The following Python script is a proof of concept demonstrating how this vulnerability can be exploited. The code works by automating all the necessary steps.