100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin

On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely.

Props to dudekmar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,290.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to

Click here to continue reading this article.

István Márton

Author archive

December 3, 2025

Plugins, Research, Vulnerabilities, WordPress Blogs, WordPress Plugin Vulnerability News December 2025, WordPress Security, WordPress Security News December 2025

Comments are closed.

Up ↑

Your WordPress News Dashboard

100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin

István Márton

Latest posts

Text widget

Sponsored by WP Mayor

Latest posts

Built with WP RSS Aggregator