ACF plugin bug gives hackers admin on 50,000 WordPress sites

A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress allows unauthenticated attackers to obtain administrative permissions, affecting approximately 50,000 sites. The flaw, tracked as CVE-2025-14533, arises from the lack of enforcement of role restrictions during form-based user creation or updates, even when role limitations are configured in the field settings. Discovered by security researcher Andrea Bocchetti, the issue was reported to Wordfence and subsequently addressed by the vendor in version 0.9.2.2. Although no attacks targeting CVE-2025-14533 have been observed, large-scale reconnaissance activity targeting potentially vulnerable sites has been reported.