A critical privilege escalation vulnerability exists in The Advanced Custom Fields: Extended plugin for WordPress. This flaw allows an unauthenticated attacker to register a new user with full administrator privileges, granting them complete control over the affected website. Successful exploitation could lead to data theft, website defacement, and further compromise of the underlying server.

The vulnerability is a privilege escalation flaw within the insert_user function of the plugin. The function fails to properly validate or restrict the user roles that can be assigned during the registration process. An unauthenticated attacker can exploit this by submitting a registration request and including a parameter that sets the new user's role to 'administrator'. This is only possible if the site's administrator has configured the plugin to map the 'role' field to a custom user registration form.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit results in a full compromise of the WordPress application. An attacker with administrator access can steal sensitive user data, modify or delete content, install malicious plugins or backdoors, inject malware to attack site visitors, and potentially use the compromised web server as a pivot point to attack other systems within the network. The business impact includes severe reputational damage, potential financial loss from business disruption, regulatory fines for data breaches, and significant costs associated with incident response and system recovery.

Immediate Action: Immediately update The Advanced Custom Multiple Products to the latest version as recommended by the vendor. After patching, conduct a thorough audit of all user accounts with administrator privileges to ensure no unauthorized accounts exist. Review web server and application access logs for any suspicious user registration attempts prior to the patch being applied.

Proactive Monitoring: Monitor web server access logs for POST requests to user registration pages that contain parameters such as role=administrator or similar attempts to set a privileged role. Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, and plugins. Monitor for the creation of new user accounts with high privileges outside of normal administrative processes.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Disable the mapping of the 'role' field within the plugin's user registration form configuration. This is the most direct way to prevent exploitation.
• If not essential for business operations, temporarily disable user registration on the website entirely.
• Deploy a Web Application Firewall (WAF) with a virtual patch or custom rule to inspect registration requests and block any that attempt to set a user role.

Public Exploit Available: true

This vulnerability represents a critical and immediate threat to affected WordPress sites. Given the high CVSS score of 9.8 and the ease of exploitation for configured sites, organizations must treat this as a top priority. We strongly recommend applying the vendor-supplied patch without delay. Following the update, a security audit should be performed to search for indicators of compromise, such as unauthorized administrator accounts or modified files. Although this CVE is not currently listed on the CISA KEV list, its critical nature makes it a likely candidate for inclusion, underscoring the urgency for remediation.