A critical remote code execution vulnerability has been discovered in The Advanced Custom Fields: Extended plugin for WordPress. This flaw allows unauthenticated attackers to take complete control of an affected website without needing any credentials, potentially leading to data theft, website defacement, or the installation of malicious backdoors. Immediate patching is required to prevent server compromise.

The vulnerability exists within the prepare_form() function of the plugin. This function improperly handles user-supplied input by passing it directly to the call_user_func_array() PHP function. An unauthenticated attacker can craft a malicious request that provides a dangerous payload as input, tricking the function into executing arbitrary PHP code on the server. This allows for a full server compromise, enabling the attacker to perform actions such as creating new administrative accounts, exfiltrating sensitive data, or injecting a persistent backdoor.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would result in a complete loss of confidentiality, integrity, and availability for the affected website and its underlying server. The business impact includes the potential for significant data breaches involving customer or internal information, financial loss from fraudulent activity, severe reputational damage, and the cost associated with incident response and system recovery. The compromised server could also be used to launch further attacks against other systems, creating additional legal and financial liabilities.

Immediate Action: Immediately update The Advanced Custom Fields: Extended plugin to the latest version available (a version later than 0.9.1.1) to patch the vulnerability. After patching, review server access logs and audit WordPress user accounts for any unauthorized administrative users or suspicious activity that may have occurred prior to remediation.

Proactive Monitoring: System administrators should actively monitor web server access logs for unusual POST requests, particularly those targeting WordPress AJAX endpoints (admin-ajax.php) or other plugin-specific endpoints. Scrutinize requests for payloads containing PHP function names like system, shell_exec, passthru, or eval. Additionally, monitor file systems for unexpected new or modified PHP files in web-accessible directories and set up alerts for the creation of new high-privileged user accounts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block malicious payloads targeting the call_user_func_array() sink in this plugin. As a last resort, disable the vulnerable plugin until it can be safely updated.

Public Exploit Available: false

Due to the critical 9.8 CVSS score and the potential for a complete, unauthenticated server compromise, this vulnerability represents a severe and immediate threat. We strongly recommend that all organizations using the affected versions of The Advanced Custom Fields: Extended plugin treat this as an emergency and apply the vendor-supplied patch immediately. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. After patching, a thorough compromise assessment should be conducted to ensure the integrity of the web server and its data has not been compromised.