CVE-2025-13486 is a critical remote code execution (RCE) vulnerability affecting the Advanced Custom Fields: Extended plugin for WordPress, specifically versions 0.9.0.5 through 0.9.1.1. The vulnerability stems from the prepare_form() function, which improperly handles user input by passing it directly to PHP's call_user_func_array() without sufficient validation or sanitization. This CWE-94 (Improper Control of Generation of Code) weakness allows unauthenticated attackers to inject and execute arbitrary PHP code on the server hosting the WordPress site. Because the function is accessible without authentication and requires no user interaction, exploitation is straightforward. Successful exploitation can lead to full system compromise, including the installation of persistent backdoors, creation of new administrative user accounts, and complete control over the website and potentially the underlying server. The vulnerability carries a CVSS v3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Although no public exploits have been reported yet, the nature of the flaw and the popularity of WordPress make it a prime target for attackers. The lack of available patches at the time of disclosure further increases the urgency for mitigation.

For European organizations, this vulnerability poses a severe risk due to the widespread use of WordPress for corporate websites, intranets, and e-commerce platforms. Exploitation can lead to unauthorized access to sensitive data, including personal customer information protected under GDPR, resulting in regulatory penalties and loss of customer trust. Attackers could deface websites, disrupt services, or use compromised servers as pivot points for further attacks within the organization's network. The ability to create administrative accounts or install backdoors means long-term persistence and potential lateral movement. This can severely impact business continuity, brand reputation, and compliance posture. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly at risk due to the sensitivity of their data and the criticality of their online presence.

Given the absence of an official patch at the time of disclosure, European organizations should immediately implement the following mitigations: 1) Disable or remove the Advanced Custom Fields: Extended plugin if it is not essential. 2) Restrict access to the WordPress admin and plugin directories via web server configuration or firewall rules to limit exposure to unauthenticated requests targeting the vulnerable function. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests invoking the prepare_form() function or unusual call_user_func_array() usage patterns. 4) Monitor server and application logs for signs of exploitation attempts, such as unexpected PHP function calls or new administrative user creation. 5) Regularly back up WordPress sites and databases to enable rapid restoration in case of compromise. 6) Follow vendor channels closely for patches or updates and apply them immediately upon release. 7) Conduct security audits and penetration tests focusing on plugin vulnerabilities and code injection risks. These targeted actions go beyond generic advice and address the specific exploitation vector of this vulnerability.