CVE-2025-13486 is a critical remote code execution (RCE) vulnerability affecting the Advanced Custom Fields: Extended plugin for WordPress, specifically versions 0.9.0.5 through 0.9.1.1. The vulnerability arises from the prepare_form() function, which accepts user-supplied input and passes it unsafely to PHP's call_user_func_array() function. This improper control of code generation (CWE-94) allows an unauthenticated attacker to execute arbitrary PHP code on the web server hosting the vulnerable plugin. The attack vector requires no authentication or user interaction, making exploitation straightforward for remote attackers. Successful exploitation can lead to the injection of malicious backdoors, unauthorized creation of administrative user accounts, and complete compromise of the WordPress site and underlying server. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. No official patches or updates are currently listed, increasing the urgency for mitigation. Although no known exploits have been reported in the wild yet, the vulnerability’s characteristics and WordPress’s popularity make it a prime target for attackers. The plugin’s user base, often including websites with custom content management needs, expands the potential attack surface significantly.

The impact of CVE-2025-13486 is severe and far-reaching. Organizations using the affected plugin versions face the risk of complete system compromise due to remote code execution without any authentication barriers. Attackers can inject persistent backdoors, enabling long-term unauthorized access, data theft, or manipulation. They can also create new administrative users, effectively locking out legitimate administrators and gaining full control over the WordPress environment. This can lead to defacement, data breaches, ransomware deployment, or use of the compromised server as a pivot point for further attacks within the network. The availability of the affected websites can be disrupted, damaging business operations and reputation. Given WordPress’s dominant market share in content management systems globally, the vulnerability poses a significant threat to a wide range of industries, including e-commerce, media, education, and government websites. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks once exploit code becomes publicly available.

Immediate mitigation steps include upgrading the Advanced Custom Fields: Extended plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, organizations should consider disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with custom rules to block suspicious requests targeting the prepare_form() function or unusual call_user_func_array() usage can provide temporary protection. Restricting access to the WordPress admin and plugin directories via IP whitelisting or VPN can reduce exposure. Monitoring server and application logs for anomalous PHP function calls or unexpected administrative user creations is critical for early detection. Employing principle of least privilege for WordPress users and server processes limits the damage potential. Regular backups and incident response plans should be in place to recover quickly if compromise occurs. Security teams should stay alert for public exploit releases and threat intelligence updates related to this CVE.