A serious vulnerability has been found in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress, which affects around 100,000 sites. The flaw, identified as CVE-2025-14533, allows unauthenticated attackers to gain administrative privileges by exploiting the plugin’s ‘Insert User / Update User’ form action. Versions 0.9.2.1 and earlier lack proper role restrictions, meaning attackers can set user roles arbitrarily, even to 'administrator', despite field settings designed to limit this. Wordfence, the security firm that verified the issue, highlighted that this vulnerability could lead to full site compromises if exploited. However, it specifically affects sites using a ‘Create User’ or ‘Update User’ form with a role field mapped. The issue was reported by researcher Andrea Bocchetti on December 10, 2025, and the vendor released a patch in version 0.9.2.2 just four days later. Despite the fix, approximately 50,000 sites remain potentially vulnerable if they haven't upgraded. There’s been no reported exploitation of this particular vulnerability yet, but threat monitoring firm GreyNoise has detected extensive reconnaissance activities targeting WordPress plugins. Between late October 2025 and mid-January 2026, nearly 1,000 IPs engaged in efforts to identify vulnerable plugins, with over 40,000 enumeration events recorded. The most notable targets include Post SMTP and LiteSpeed Cache, which have their own critical vulnerabilities needing urgent attention.