CVE-2025-13486 is a critical remote code execution (RCE) vulnerability identified in the Advanced Custom Fields: Extended plugin for WordPress, specifically affecting versions 0.9.0.5 through 0.9.1.1. The vulnerability arises from improper control over code generation (CWE-94) within the prepare_form() function. This function accepts user-supplied input and passes it directly to PHP's call_user_func_array() without adequate sanitization or validation. This unsafe practice allows unauthenticated attackers to invoke arbitrary PHP functions with attacker-controlled parameters, effectively enabling execution of arbitrary code on the web server hosting the WordPress site. The impact of this vulnerability is severe, as attackers can inject backdoors, escalate privileges by creating new administrative users, or execute any code with the web server's privileges. The CVSS 3.1 score of 9.8 reflects the vulnerability's criticality, with an attack vector of network (AV:N), no required privileges (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild yet, the vulnerability's characteristics make it highly exploitable. The plugin is used to extend WordPress custom fields functionality, and its presence in many WordPress installations increases the attack surface. The lack of available patches at the time of disclosure further elevates the risk. Organizations relying on this plugin should consider immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their web assets. Exploitation can lead to full server compromise, data theft, defacement, or persistent backdoors that facilitate long-term unauthorized access. Organizations running WordPress sites with this plugin, especially those handling sensitive customer data or critical business functions, could face severe operational disruption and reputational damage. The ability for unauthenticated attackers to exploit this remotely increases the likelihood of widespread attacks, including automated scanning and exploitation campaigns. Given Europe's stringent data protection regulations such as GDPR, a breach resulting from this vulnerability could also lead to substantial legal and financial penalties. Additionally, the compromise of administrative accounts could allow attackers to pivot within internal networks, escalating the threat beyond the web server itself. The lack of known exploits currently provides a small window for proactive defense, but the critical nature demands urgent attention.

1. Immediately identify and inventory all WordPress installations using the Advanced Custom Fields: Extended plugin, focusing on versions 0.9.0.5 through 0.9.1.1. 2. Disable or uninstall the vulnerable plugin until a secure patched version is released. 3. If disabling is not feasible, restrict access to the plugin's endpoints by implementing web application firewall (WAF) rules or IP whitelisting to block unauthenticated requests targeting the prepare_form() function. 4. Monitor web server and WordPress logs for unusual activity, such as unexpected calls to call_user_func_array() or creation of new administrative users. 5. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block suspicious PHP function calls. 6. Keep WordPress core and all plugins updated regularly and subscribe to security advisories for timely patching. 7. Conduct thorough security audits and penetration testing post-mitigation to ensure no backdoors or unauthorized accounts have been created. 8. Implement strict principle of least privilege for WordPress users and server processes to limit potential damage from exploitation.