A severe vulnerability in the ACF Extended plugin allows unauthenticated attackers to gain admin permissions on WordPress sites. Exploitation hinges on a flaw in the user creation and update forms, which fail to enforce role restrictions. Approximately 50,000 sites remain at risk despite a patch released shortly after the issue was identified.