How is CVE-2026-8809 exploited?

Network reachability (required): The attacker must reach a public ACFE frontend form over the network on the target WordPress site. Authentication (not-required): No account or session is needed; the validation bypass is triggered by an unauthenticated POST request. Victim interaction (not-required): No administrator or user action is required; the attacker submits the crafted form directly. Attack complexity (info): The CVSS vector lists AC:L, meaning the exploit is reliable as long as the site exposes an ACFE form with a Create User action mapping a role field.

What is the impact of CVE-2026-8809?

Creates a new administrator-level WordPress user account chosen by the attacker, granting full control of the site. Allows subsequent installation of arbitrary plugins or themes, which is a standard path to remote code execution on the underlying container. Permits reading and modifying all WordPress content, user records, and stored credentials or API tokens held in site options. Enables disruption of the site by deleting content, locking out legitimate administrators, or taking the application offline.

Back to search

CRITICALCVE-2026-8809Published 2026-05-28Modified 2026-05-29CNA Wordfence

CVE-2026-8809: Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter

Q: What is CVE-2026-8809?

This is an unauthenticated privilege escalation in the Advanced Custom Fields: Extended WordPress plugin, affecting all versions up to and including 0.9.2.5. The bug is reachable over the network with no authentication and no user interaction: the after_validate_save_post() function trusts the attacker-controlled _acf_post_id POST parameter to select a cleanup branch that silently drops validation errors, letting an attacker bypass the role allow-list and administrator capability checks. Successful exploitation creates a new administrator-level WordPress account, giving full control of the site. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-8809 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment hwk-fr ships a fixed release; customers with auto-remediation enabled will then receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads.

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an unauthenticated privilege escalation in the Advanced Custom Fields: Extended WordPress plugin, affecting all versions up to and including 0.9.2.5. The bug is reachable over the network with no authentication and no user interaction: the after_validate_save_post() function trusts the attacker-controlled _acf_post_id POST parameter to select a cleanup branch that silently drops validation errors, letting an attacker bypass the role allow-list and administrator capability checks. Successful exploitation creates a new administrator-level WordPress account, giving full control of the site. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with new advisories ingested from upstream feeds within minutes of publication and matched against WordPress images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle the Advanced Custom Fields: Extended plugin, including private forks and derived base images.

Available

Triage

Triage capabilities apply the published CVSS 9.8 critical score and weight it against each customer's compliance policy, so environments with internet-exposed WordPress workloads can escalate this above lower-impact criticals. Findings are routed to the appropriate inbox inside each customer org based on image ownership and workload tags.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment hwk-fr ships a fixed release; customers with auto-remediation enabled will then receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach a public ACFE frontend form over the network on the target WordPress site.
AuthenticationNot required
No account or session is needed; the validation bypass is triggered by an unauthenticated POST request.
Victim interactionNot required
No administrator or user action is required; the attacker submits the crafted form directly.
Attack complexityDetail
The CVSS vector lists AC:L, meaning the exploit is reliable as long as the site exposes an ACFE form with a Create User action mapping a role field.

Blast Radius

Creates a new administrator-level WordPress user account chosen by the attacker, granting full control of the site.
Allows subsequent installation of arbitrary plugins or themes, which is a standard path to remote code execution on the underlying container.
Permits reading and modifying all WordPress content, user records, and stored credentials or API tokens held in site options.
Enables disruption of the site by deleting content, locking out legitimate administrators, or taking the application offline.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Wordfence advisory for this CVE, with the patched-image rebuild becoming available automatically the moment hwk-fr ships a fixed release of Advanced Custom Fields: Extended. In the meantime, compensating-control guidance is surfaced alongside the finding: disable or restrict any public ACFE frontend form that uses a Create User action with a mapped role field, place affected WordPress workloads behind authentication or IP allow-lists at the ingress layer, and apply egress filtering to limit post-exploitation reach. For environments with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be opened automatically once the upstream patch lands.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

hwk-fr / Advanced Custom Fields: Extended
≤ 0.9.2.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References