CVE-2025-14533: CWE-269 Improper Privilege Management in hwk-fr Advanced Custom Fields: Extended
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
AI Analysis
Technical Summary
CVE-2025-14533 is a critical privilege escalation vulnerability in the hwk-fr Advanced Custom Fields: Extended plugin for WordPress, affecting all versions up to and including 0.9.2.1. The vulnerability stems from improper privilege management (CWE-269) in the 'insert_user' function, which fails to restrict the roles that can be assigned during user registration. An unauthenticated attacker can exploit this by supplying the 'administrator' role if the 'role' field is mapped to a custom field, thereby gaining administrator access to the WordPress site. The vulnerability has a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical impact on confidentiality, integrity, and availability. No patch or remediation details are provided, and the plugin is not a cloud service, so remediation depends on vendor action or user mitigation.
Potential Impact
Successful exploitation allows an unauthenticated attacker to escalate privileges to administrator level on the affected WordPress site. This grants full control over site content, configuration, and user management, severely compromising confidentiality, integrity, and availability of the site. The vulnerability affects all versions up to 0.9.2.1 of the Advanced Custom Fields: Extended plugin. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid mapping the 'role' field to custom fields in the plugin configuration to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2025-14533: CWE-269 Improper Privilege Management in hwk-fr Advanced Custom Fields: Extended
Description
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14533 is a critical privilege escalation vulnerability in the hwk-fr Advanced Custom Fields: Extended plugin for WordPress, affecting all versions up to and including 0.9.2.1. The vulnerability stems from improper privilege management (CWE-269) in the 'insert_user' function, which fails to restrict the roles that can be assigned during user registration. An unauthenticated attacker can exploit this by supplying the 'administrator' role if the 'role' field is mapped to a custom field, thereby gaining administrator access to the WordPress site. The vulnerability has a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical impact on confidentiality, integrity, and availability. No patch or remediation details are provided, and the plugin is not a cloud service, so remediation depends on vendor action or user mitigation.
Potential Impact
Successful exploitation allows an unauthenticated attacker to escalate privileges to administrator level on the affected WordPress site. This grants full control over site content, configuration, and user management, severely compromising confidentiality, integrity, and availability of the site. The vulnerability affects all versions up to 0.9.2.1 of the Advanced Custom Fields: Extended plugin. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid mapping the 'role' field to custom fields in the plugin configuration to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-11T10:11:32.336Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696f4c7c4623b1157c28405e
Added to database: 1/20/2026, 9:35:56 AM
Last enriched: 4/9/2026, 9:51:15 AM
Last updated: 5/10/2026, 7:11:42 AM
Views: 322
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.