A critical privilege escalation vulnerability in the Advanced Custom Fields: Extended plugin allows unauthenticated attackers to create unauthorized administrator accounts on vulnerable WordPress sites.

This is a privilege escalation vulnerability caused by a validation bypass in the after_validate_save_post() function. The plugin fails to verify the integrity of the _acf_post_id parameter, allowing an attacker to suppress validation errors and force the system to process a user registration with an arbitrary role, such as 'administrator'.

With a CVSS score of 9.8, this is a critical vulnerability. The ability for an unauthenticated user to create a new administrator account grants the attacker total control over the site. This could lead to massive data breaches, installation of backdoors, and complete compromise of the site's server environment.

Immediate Action: Update the "Advanced Custom Fields: Extended" plugin to the latest version immediately.

Proactive Monitoring: Audit the WordPress user database for newly created accounts or accounts with unexpected administrator privileges.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests that contain suspicious _acf_post_id parameters or that target the specific form submission endpoints used by the plugin.

Public Exploit Available: false

This vulnerability poses an extreme risk due to the potential for unauthorized privilege escalation. Administrators must update the plugin immediately and audit current user lists to ensure no malicious accounts have been created during the period the plugin was vulnerable.