{"id":263,"date":"2026-01-19T00:00:00","date_gmt":"2026-01-18T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/hu\/kritikus-jogosultsag-emeles-acf-extended\/"},"modified":"2026-01-19T00:00:00","modified_gmt":"2026-01-18T23:00:00","slug":"kritikus-jogosultsag-emeles-acf-extended","status":"publish","type":"post","link":"https:\/\/helloblog.io\/hu\/kritikus-jogosultsag-emeles-acf-extended\/","title":{"rendered":"Kritikus jogosults\u00e1g-emel\u00e9si hiba az ACF Extended b\u0151v\u00edtm\u00e9nyben: \u00edgy lehet bel\u0151le admin hozz\u00e1f\u00e9r\u00e9s"},"content":{"rendered":"\n<p>A Wordfence friss sebezhet\u0151s\u00e9gi jelent\u00e9se szerint az <strong>Advanced Custom Fields: Extended<\/strong> (r\u00f6viden ACF Extended) b\u0151v\u00edtm\u00e9nyben egy <strong>kritikus jogosults\u00e1g-emel\u00e9si<\/strong> (privilege escalation) hiba volt, ami bizonyos be\u00e1ll\u00edt\u00e1sok mellett lehet\u0151v\u00e9 teheti, hogy egy t\u00e1mad\u00f3 <strong>bejelentkez\u00e9s n\u00e9lk\u00fcl admin szerepk\u00f6rt<\/strong> szerezzen. A b\u0151v\u00edtm\u00e9ny t\u00f6bb mint <strong>100 000 akt\u00edv telep\u00edt\u00e9ssel<\/strong> fut a WordPress \u00f6kosziszt\u00e9m\u00e1ban, ez\u00e9rt \u00e9rdemes komolyan venni.<\/p>\n\n\n\n<p>A j\u00f3 h\u00edr: a jav\u00edt\u00e1s el\u00e9rhet\u0151, a Wordfence pedig firewall (WAF) szab\u00e1llyal is v\u00e9delmet adott a saj\u00e1t felhaszn\u00e1l\u00f3inak. A rossz h\u00edr: ha olyan ACF Extended \u0171rlapot rakt\u00e1l ki, ami felhaszn\u00e1l\u00f3t hoz l\u00e9tre vagy friss\u00edt, \u00e9s szerepk\u00f6r (role) mez\u0151t is tartalmaz, akkor a hiba nagyon gyorsan teljes site-\u00e1tv\u00e9telbe futhat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mi \u00e9rintett pontosan?<\/h2>\n\n\n\n<p>A Wordfence \u00f6sszefoglal\u00f3ja alapj\u00e1n a sebezhet\u0151s\u00e9g az <strong>Advanced Custom Fields: Extended <= 0.9.2.1<\/strong> verzi\u00f3kat \u00e9rinti, \u00e9s a <strong>0.9.2.2<\/strong> verzi\u00f3ban lett jav\u00edtva. A CVSS pontsz\u00e1m <strong>9.8 (Critical)<\/strong>, a CVE azonos\u00edt\u00f3 <strong>CVE-2025-14533<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>\u00c9rintett b\u0151v\u00edtm\u00e9ny: Advanced Custom Fields: Extended<\/li>\n\n\n<li>Plugin slug: <code>acf-extended<\/code><\/li>\n\n\n<li>\u00c9rintett verzi\u00f3k: <code>&lt;= 0.9.2.1<\/code><\/li>\n\n\n<li>Jav\u00edtott verzi\u00f3: <code>0.9.2.2<\/code><\/li>\n\n\n<li>CVE: CVE-2025-14533<\/li>\n\n\n<li>S\u00falyoss\u00e1g: 9.8 \/ 10 (kritikus)<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Hogyan lehet ebb\u0151l admin jog? (\u00e9rthet\u0151en, fejleszt\u0151i szemmel)<\/h2>\n\n\n\n<p>Az ACF Extended az ACF (Advanced Custom Fields) kieg\u00e9sz\u00edt\u0151je: extra mez\u0151ket, form kezel\u0151t \u00e9s t\u00f6bb k\u00e9nyelmi funkci\u00f3t ad. A probl\u00e9m\u00e1s r\u00e9sz a Wordfence le\u00edr\u00e1sa szerint a b\u0151v\u00edtm\u00e9ny \u201euser form action\u201d logik\u00e1j\u00e1ban van, ahol egy \u0171rlap bek\u00fcld\u00e9sekor a rendszer felhaszn\u00e1l\u00f3t hoz l\u00e9tre (vagy friss\u00edt).<\/p>\n\n\n\n<p>A gond l\u00e9nyege: a b\u0151v\u00edtm\u00e9nyben l\u00e9v\u0151 <code>insert_user()<\/code> folyamat a felhaszn\u00e1l\u00f3 l\u00e9trehoz\u00e1s\u00e1hoz a WordPress <code>wp_insert_user()<\/code> f\u00fcggv\u00e9ny\u00e9t h\u00edvja meg, \u00e9s az \u0171rlapb\u00f3l \u00e9rkez\u0151 mez\u0151kb\u0151l \u00e9p\u00edti fel az argumentumokat. A Wordfence szerint a szerepk\u00f6r\u00f6k (role-ok) <strong>nincsenek megfelel\u0151en korl\u00e1tozva<\/strong>, ez\u00e9rt ha a t\u00e1mad\u00f3 be tud juttatni egy <code>administrator<\/code> szerepk\u00f6rt az \u0171rlapon kereszt\u00fcl, akkor admin jogosults\u00e1g\u00fa felhaszn\u00e1l\u00f3 k\u00e9sz\u00fclhet.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Fontos felt\u00e9tel: nem minden telep\u00edt\u00e9s \u00e9rintett ugyan\u00fagy<\/h4>\n\n\n<p>A Wordfence megjegyz\u00e9se szerint a t\u00e1mad\u00e1s <strong>akkor<\/strong> haszn\u00e1lhat\u00f3 ki, ha az \u0171rlapban a <code>role<\/code> mez\u0151 t\u00e9nylegesen \u201ebe van k\u00f6tve\u201d (mapped) a custom field-hez, \u00e9s van olyan ACF Extended form action, ami felhaszn\u00e1l\u00f3t hoz l\u00e9tre vagy friss\u00edt.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Mi\u00e9rt k\u00fcl\u00f6n\u00f6sen vesz\u00e9lyes a privilege escalation WordPress-ben?<\/h2>\n\n\n\n<p>A jogosults\u00e1g-emel\u00e9s WordPress-ben tipikusan nem \u201ecsak\u201d annyi, hogy valaki t\u00f6bb men\u00fcpontot l\u00e1t: ha admin jogot szerez, akkor onnant\u00f3l ugyanazokat a k\u00e9pess\u00e9geket (capability-ket) kapja, mint a val\u00f3di admin.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>B\u0151v\u00edtm\u00e9nyek \u00e9s sablonok telep\u00edt\u00e9se\/felt\u00f6lt\u00e9se (ak\u00e1r rosszindulat\u00fa zip-pel, backdoorral)<\/li>\n\n\n<li>PHP f\u00e1jlok m\u00f3dos\u00edt\u00e1sa (ha a k\u00f6rnyezet engedi), vagy admin fel\u00fcleten kereszt\u00fcli konfigur\u00e1ci\u00f3s \u00e1t\u00e1ll\u00edt\u00e1sok<\/li>\n\n\n<li>Oldalak\/bejegyz\u00e9sek m\u00f3dos\u00edt\u00e1sa, \u00e1tir\u00e1ny\u00edt\u00e1sok \u00e9s spam injekt\u00e1l\u00e1sa<\/li>\n\n\n<li>\u00daj admin felhaszn\u00e1l\u00f3k l\u00e9trehoz\u00e1sa, megl\u00e9v\u0151k kiz\u00e1r\u00e1sa<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Mit csin\u00e1lj most? (gyors ellen\u0151rz\u0151lista)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>N\u00e9zd meg, fut-e n\u00e1lad az Advanced Custom Fields: Extended (<code>acf-extended<\/code>).<\/li>\n\n\n<li>Ellen\u0151rizd a verzi\u00f3t: ha <code>0.9.2.1<\/code> vagy r\u00e9gebbi, az \u00e9rintett.<\/li>\n\n\n<li>Friss\u00edts az el\u00e9rhet\u0151 jav\u00edtott verzi\u00f3ra: <strong>0.9.2.2<\/strong> (a bejelent\u00e9s szerint ez a patchelt kiad\u00e1s).<\/li>\n\n\n<li>Vizsg\u00e1ld \u00e1t, hogy haszn\u00e1lsz-e ACF Extended \u0171rlapot \u201eCreate user\u201d vagy \u201eUpdate user\u201d akci\u00f3val, \u00e9s van-e benne role mez\u0151 (vagy role mez\u0151 mapping).<\/li>\n\n\n<li>Ha ilyen \u0171rlap van kint publikus oldalon, k\u00fcl\u00f6n\u00f6sen s\u00fcrg\u0151s a friss\u00edt\u00e9s.<\/li>\n\n<\/ol>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Wordfence v\u00e9delem (WAF szab\u00e1ly)<\/h4>\n\n\n<p>A Wordfence k\u00f6zl\u00e9se szerint a Premium\/Care\/Response felhaszn\u00e1l\u00f3k <strong>2025. december 11-\u00e9n<\/strong> kaptak firewall szab\u00e1lyt a t\u00e1mad\u00e1sok kiv\u00e9d\u00e9s\u00e9re. A Wordfence Free felhaszn\u00e1l\u00f3k ugyanezt a v\u00e9delmet <strong>2026. janu\u00e1r 10-\u00e9n<\/strong> kapt\u00e1k meg.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">R\u00f6viden a h\u00e1tt\u00e9rr\u0151l \u00e9s az id\u0151vonalr\u00f3l<\/h2>\n\n\n\n<p>A Wordfence szerint a hib\u00e1t andrea bocchetti jelentette felel\u0151s hibabejelent\u00e9ssel a Wordfence Bug Bounty Programon kereszt\u00fcl, \u00e9s a gy\u00e1rt\u00f3 gyorsan reag\u00e1lt: a r\u00e9szleteket a Wordfence Vulnerability Management Portalon kapt\u00e1k meg, majd r\u00f6vid id\u0151n bel\u00fcl kiadt\u00e1k a jav\u00edt\u00e1st.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>2025-12-10: bejelent\u00e9s \u00e9rkezett a hib\u00e1r\u00f3l a Wordfence-hez<\/li>\n\n\n<li>2025-12-11: valid\u00e1l\u00e1s + PoC meger\u0151s\u00edt\u00e9se; Premium\/Care\/Response WAF szab\u00e1ly kiadva; vendor \u00e9rtes\u00edtve<\/li>\n\n\n<li>2025-12-14: a jav\u00edtott verzi\u00f3 megjelent (0.9.2.2)<\/li>\n\n\n<li>2026-01-10: Wordfence Free oldalak is megkapt\u00e1k a WAF v\u00e9delmet<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Mit \u00e9rdemes fejleszt\u0151k\u00e9nt megjegyezni bel\u0151le?<\/h2>\n\n\n\n<p>Ez az eset j\u00f3 p\u00e9lda arra, hogy egy UI-szint\u0171 korl\u00e1toz\u00e1s (p\u00e9ld\u00e1ul \u201eAllow User Role\u201d be\u00e1ll\u00edt\u00e1s egy mez\u0151n\u00e9l) <strong>nem biztons\u00e1gi kontroll<\/strong>, ha a szerveroldali logika nem \u00e9rv\u00e9nyes\u00edti ugyanezt. Ha egy \u0171rlapb\u00f3l olyan mez\u0151 mehet \u00e1t a backendbe, ami jogosults\u00e1got befoly\u00e1sol (role, capability, user meta), akkor azt mindig explicit m\u00f3don whitelistelni \u00e9s szerveroldalon ellen\u0151rizni kell.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-success is-style-success is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">L\u00e9nyeg<\/h4>\n\n\n<p>Friss\u00edts ACF Extended <strong>0.9.2.2<\/strong> verzi\u00f3ra, \u00e9s ellen\u0151rizd, van-e publikus user-l\u00e9trehoz\u00f3\/friss\u00edt\u0151 \u0171rlap role mez\u0151vel. Ez a kombin\u00e1ci\u00f3 a kritikus kock\u00e1zat.<\/p>\n\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1600\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1.png\" alt=\"ACF Extended: role mez\u0151 \u00e9s a szerepk\u00f6r korl\u00e1toz\u00e1s\u00e1ra utal\u00f3 be\u00e1ll\u00edt\u00e1sok a mez\u0151csoportban\" class=\"wp-image-261\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-300x188.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-1536x960.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-2048x1280.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-1-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">A Wordfence p\u00e9ld\u00e1ja: a szerepk\u00f6r mez\u0151n\u00e9l l\u00e1tszik a korl\u00e1toz\u00e1s lehet\u0151s\u00e9ge (Allow User Role). \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1599\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1.png\" alt=\"ACF Extended \u0171rlap be\u00e1ll\u00edt\u00e1sa Create user akci\u00f3val \u00e9s mez\u0151 mappinggal\" class=\"wp-image-262\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-300x187.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-1536x959.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-2048x1279.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/2\/2026\/01\/acfe-2-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Az \u0171rlap \u201eCreate user\u201d akci\u00f3ja mez\u0151 mappinggal \u2013 itt j\u00f6n el\u0151 a probl\u00e9ma, ha a role mez\u0151 is \u00e1tmegy. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n<div class=\"references-section\">\n                <h2>Hivatkoz\u00e1sok \/ Forr\u00e1sok<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/01\/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin<\/a><\/li><li><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/acf-extended\/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-via-insert-user-form-action\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended &lt;= 0.9.2.1 &#8212; Unauthenticated Privilege Escalation via Insert User Form Action<\/a><\/li><li><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2025-14533<\/a><\/li><li><a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Ha Advanced Custom Fields: Extended (ACF Extended) fut a site-odon, \u00e9s haszn\u00e1lsz vele felhaszn\u00e1l\u00f3-l\u00e9trehoz\u00f3 \u0171rlapot, egy rosszul kezelt szerepk\u00f6r mez\u0151 miatt ak\u00e1r bejelentkez\u00e9s n\u00e9lk\u00fcl is admin jog szerezhet\u0151. Mutatom, mikor \u00e9rintett\u00e9l, \u00e9s mi a teend\u0151.<\/p>\n","protected":false},"author":4,"featured_media":260,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[112,69,111,13,10],"class_list":["post-263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-biztonsag","tag-acf","tag-biztonsag","tag-bovitmeny","tag-wordfence","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":0,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/media\/260"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/hu\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}