business resources
Over 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Popular Plugin
A critical unauthenticated Remote Code Execution vulnerability was discovered in the Advanced Custom Fields: Extended WordPress plugin, affecting over 100,000 sites. Wordfence responded with firewall protection for Premium users on November 20, 2025, and a patch was released by the plugin's team on November 21. Users are urged to update to version 0.9.2 immediately for security.
On November 18, 2025, a critical vulnerability was discovered in the widely-used WordPress plugin, Advanced Custom Fields: Extended, which has more than 100,000 active installations.
The vulnerability, classified as an unauthenticated Remote Code Execution (RCE) flaw, can be exploited remotely, putting countless websites at risk.
Discovery and disclosure
The vulnerability was identified by dudekmar, a researcher who responsibly reported the issue via the Wordfence Bug Bounty Program. In recognition of the discovery, dudekmar received a generous bounty of $4,290.00. This vulnerability underscores the ongoing importance of robust security practices within the WordPress ecosystem, highlighting the necessity of continuous vigilance in maintaining site integrity.
According to Wordfence, the company’s commitment to securing WordPress through defense-in-depth measures is a core aspect of its strategy. The discovery and immediate action taken reflect the ongoing investment in quality vulnerability research, as well as the fruitful collaboration with researchers like dudekmar.
Wordfence further emphasises its mission to make WordPress a more secure platform by detecting and preventing vulnerabilities across the board.
Response to the vulnerability
Wordfence responded rapidly to the vulnerability by implementing security measures for its Premium, Care, and Response users. A firewall rule was rolled out on November 20, 2025, to mitigate any potential exploits attempting to target the flaw. Users on the free version of Wordfence will receive the same protection, but with a delay, on December 20, 2025.
In addition to issuing firewall protections, Wordfence swiftly provided full disclosure of the issue to the ACF Extended team through the Wordfence Vulnerability Management Portal on November 20, 2025.
The ACF Extended team acted quickly, releasing a patch just a day later on November 21, 2025. This prompt response highlights the importance of timely action in the cybersecurity field, and Wordfence commends the ACF Extended team for their efficient handling of the matter.
Call to action for users
In light of the discovered vulnerability, Wordfence urges all users of Advanced Custom Fields: Extended to update their WordPress sites as soon as possible. The patch released by the ACF Extended team addresses the vulnerability and brings the plugin up to version 0.9.2 at the time of publication. Users are strongly advised to install the update to ensure their sites remain secure.
The importance of vulnerability research
The discovery of this remote code execution flaw reinforces the significance of proactive vulnerability research in safeguarding online platforms. With more than 100,000 installations of the Advanced Custom Fields: Extended plugin, the potential impact of this vulnerability is substantial.
As the plugin is widely used across WordPress websites, it is crucial that users act swiftly to update and patch their installations to prevent potential exploitation.
Through initiatives like the Wordfence Bug Bounty Program, Wordfence continues to engage with the broader security research community to strengthen WordPress security and provide timely protections to site owners. By collaborating with dedicated researchers, Wordfence helps ensure that WordPress remains a secure and reliable platform for millions of users worldwide.
