{"id":159,"date":"2026-01-19T00:00:00","date_gmt":"2026-01-18T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/lv\/kritiska-privilegiju-eskalacija-acf-extended-registracijas-forma\/"},"modified":"2026-01-19T00:00:00","modified_gmt":"2026-01-18T23:00:00","slug":"kritiska-privilegiju-eskalacija-acf-extended-registracijas-forma","status":"publish","type":"post","link":"https:\/\/helloblog.io\/lv\/kritiska-privilegiju-eskalacija-acf-extended-registracijas-forma\/","title":{"rendered":"Kritiska privil\u0113\u0123iju eskal\u0101cija ACF Extended: kad re\u0123istr\u0101cijas forma var izveidot administratoru"},"content":{"rendered":"\n<p>WordPress dro\u0161\u012bbas praks\u0113 ir viena klasiska sarkan\u0101 l\u012bnija: <em>jebkura iesp\u0113ja anon\u012bmam lietot\u0101jam ietekm\u0113t savu lomu (role)<\/em> gandr\u012bz vienm\u0113r beidzas ar pilnu vietnes kompromit\u0101ciju. Tie\u0161i \u0161\u0101ds scen\u0101rijs tika aprakst\u012bts Wordfence zi\u0146ojum\u0101 par <strong>Advanced Custom Fields: Extended<\/strong> (turpm\u0101k: <em>ACF Extended<\/em>) spraudni, kuram ir 100,000+ akt\u012bvu instal\u0101ciju.<\/p>\n\n\n\n<p>Ievainojam\u012bba \u013cauj neautentific\u0113tam uzbruc\u0113jam ieg\u016bt administratora privil\u0113\u0123ijas, ja vietn\u0113 ir izveidota noteikta veida forma: t\u0101da, kas izmanto ACF Extended \u201cForm manager\u201d un darb\u012bbu (action) <strong>Create user<\/strong> vai <strong>Update user<\/strong>, un kur\u0101 k\u0101 lauks ir kart\u0113ta lietot\u0101ja <strong>role<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kas ir ACF Extended un kur te rodas risks?<\/h2>\n\n\n\n<p>ACF Extended ir papildspraudnis popul\u0101rajam <strong>Advanced Custom Fields (ACF)<\/strong> \u2014 tas pievieno papildu laukus, formu p\u0101rvald\u012bbu (form manager) un da\u017e\u0101das automatiz\u0101cijas. Praktiski tas noz\u012bm\u0113: tu vari no administr\u0101cijas salikt lauku grupu (field group), uztais\u012bt front-end formu un piesaist\u012bt tai darb\u012bbu, piem\u0113ram, lietot\u0101ja izveidi.<\/p>\n\n\n\n<p>Probl\u0113ma s\u0101kas taj\u0101 br\u012bd\u012b, kad forma tiek izmantota k\u0101 re\u0123istr\u0101cija vai profila atjauno\u0161ana, un konfigur\u0101cij\u0101 ir paredz\u0113ts lomas lauks. Teor\u0113tiski lomu var ierobe\u017eot ar iestat\u012bjumu tipa \u201cAllow User Role\u201d, tom\u0113r ievainojamaj\u0101 versij\u0101 formas apstr\u0101de \u0161o ierobe\u017eojumu faktiski nepiem\u0113ro.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ievainojam\u012bbas kopsavilkums (CVE-2025-14533)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Ietekm\u0113tais spraudnis: Advanced Custom Fields: Extended (acf-extended)<\/li>\n\n\n<li>Ietekm\u0113t\u0101s versijas: <strong><= 0.9.2.1<\/strong><\/li>\n\n\n<li>Salabota versija: <strong>0.9.2.2<\/strong><\/li>\n\n\n<li>CVE: <strong>CVE-2025-14533<\/strong><\/li>\n\n\n<li>Smagums: <strong>CVSS 9.8 (Critical)<\/strong><\/li>\n\n\n<li>Uzbrukuma veids: <strong>Unauthenticated Privilege Escalation<\/strong> (privil\u0113\u0123iju eskal\u0101cija bez piesl\u0113g\u0161an\u0101s)<\/li>\n\n<\/ul>\n\n\n\n<p>Wordfence aprakst\u0101 sakne ir funkcij\u0101 <code>insert_user<\/code>, kas formu darb\u012bb\u0101s veido argumentu mas\u012bvu un to padod <code>wp_insert_user()<\/code>. Ja forma \u013cauj ien\u0101kt laukam, kas atbilst <code>role<\/code>, uzbruc\u0113js var iesniegt v\u0113rt\u012bbu <code>administrator<\/code> un ieg\u016bt admin ties\u012bbas.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Svar\u012bga nianse par izmantojam\u012bbu<\/h4>\n\n\n<p>Kritiski tas ir tikai tad, ja tav\u0101 vietn\u0113 tie\u0161\u0101m ir forma ar \u201cCreate user\u201d vai \u201cUpdate user\u201d darb\u012bbu un <strong>role lauks ir kart\u0113ts uz custom field<\/strong>. Ja ACF Extended izmanto tikai lauku grup\u0101m un nesniedz publiskas lietot\u0101ju izveides formas, risks var neb\u016bt praktiski izmantojams.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">K\u0101 uzbrukums izskat\u0101s praks\u0113 (bez ekspluat\u0101cijas deta\u013c\u0101m)<\/h2>\n\n\n\n<p>No izstr\u0101d\u0101t\u0101ja skatpunkta tas ir tipisks \u201ctrust boundary\u201d p\u0101rk\u0101pums: UI l\u012bmen\u012b tu it k\u0101 ierobe\u017eo lomas izv\u0113li, bet servera pus\u0113 valid\u0101cija\/whitelist netiek konsekventi piem\u0113rota. Rezult\u0101t\u0101 forma, kas paredz\u0113ta parastai re\u0123istr\u0101cijai, var k\u013c\u016bt par administratora \u201cpa\u0161apkalpo\u0161an\u0101s\u201d endpoint.<\/p>\n\n\n\n<p>Kad uzbruc\u0113js ir ieguvis administratora kontu, vi\u0146am praktiski atveras viss WordPress administr\u0101cijas arsen\u0101ls: spraud\u0146u\/t\u0113mu aug\u0161upiel\u0101de (kas bie\u017ei noz\u012bm\u0113 backdoor ieme\u0161anu), lapu satura aizvieto\u0161ana ar spam vai p\u0101radres\u0101cij\u0101m, jaunu adminu izveide, integr\u0101ciju atsl\u0113gu nopludin\u0101\u0161ana u.t.t.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ko dar\u012bt t\u016bl\u012bt: p\u0101rbaudes un labojumi<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li><strong>Atjaunini ACF Extended l\u012bdz 0.9.2.2 vai jaun\u0101kai versijai.<\/strong> Tas ir galvenais un dro\u0161\u0101kais solis.<\/li>\n\n\n<li><strong>Inventariz\u0113 publisk\u0101s formas.<\/strong> ACF Extended \u201cForm manager\u201d sada\u013c\u0101 atrod formas, kur\u0101s izmantota darb\u012bba \u201cCreate user\u201d vai \u201cUpdate user\u201d.<\/li>\n\n\n<li><strong>P\u0101rbaudi, vai nav kart\u0113ts <code>role<\/code> lauks.<\/strong> Ja loma visp\u0101r nav biznesa pras\u012bba, iz\u0146em \u0161o lauku no formas un no kart\u0113juma.<\/li>\n\n\n<li><strong>P\u0101rskati lietot\u0101ju sarakstu.<\/strong> Mekl\u0113 nesen izveidotus administratorus vai aizdom\u012bgus kontus (piem., nezin\u0101mi e-pasti).<\/li>\n\n\n<li><strong>Iesl\u0113dz\/atjaunini WAF noteikumus.<\/strong> Ja izmanto Wordfence, \u0146em v\u0113r\u0101, ka aizsardz\u012bbas noteikums Premium\/Care\/Response lietot\u0101jiem tika izplat\u012bts \u0101tr\u0101k, bet Free \u2014 v\u0113l\u0101k (saska\u0146\u0101 ar pazi\u0146ojumu).<\/li>\n\n<\/ol>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Dro\u0161\u012bbas \u201chigi\u0113na\u201d form\u0101m<\/h4>\n\n\n<p>Ja tev projekt\u0101 ir jebk\u0101das front-end lietot\u0101ju izveides\/atjaunin\u0101\u0161anas formas, ieliec sev checklist: server-side valid\u0101cija, lomu whitelists, CSRF aizsardz\u012bba un minim\u0101l\u0101s ties\u012bbas (least privilege). UI ierobe\u017eojumi vieni pa\u0161i nav dro\u0161\u012bbas meh\u0101nisms.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">K\u0101p\u0113c \u0161is gad\u012bjums ir labs atg\u0101din\u0101jums izstr\u0101d\u0101t\u0101jiem<\/h2>\n\n\n\n<p>ACF Extended gad\u012bjums labi par\u0101da, k\u0101 \u201clow-code\u201d tipa risin\u0101jumi WordPress vid\u0113 var izveidot \u013coti sp\u0113c\u012bgas (un reiz\u0113m b\u012bstamas) pl\u016bsmas. Kad forma s\u0101k darboties k\u0101 lietot\u0101ju p\u0101rvald\u012bbas sl\u0101nis, t\u0101 faktiski k\u013c\u016bst par autentifik\u0101cijas\/autoriz\u0101cijas sist\u0113mas da\u013cu. Un tad jebkura k\u013c\u016bda lomu apstr\u0101d\u0113 p\u0101rv\u0113r\u0161as par kritisku incidentu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Notikumu laika l\u012bnija (p\u0113c pazi\u0146ojuma)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>2025-12-10 \u2014 Wordfence sa\u0146em zi\u0146ojumu par ievainojam\u012bbu.<\/li>\n\n\n<li>2025-12-11 \u2014 zi\u0146ojums tiek valid\u0113ts; Premium\/Care\/Response lietot\u0101jiem tiek izplat\u012bts ugunsm\u016bra noteikums; inform\u0101cija nodota spraud\u0146a izstr\u0101d\u0101t\u0101jiem caur Vulnerability Management Portal.<\/li>\n\n\n<li>2025-12-14 \u2014 izlaists labojums: ACF Extended 0.9.2.2.<\/li>\n\n\n<li>2026-01-10 \u2014 Wordfence Free lietot\u0101ji sa\u0146em analo\u0123isku aizsardz\u012bbas noteikumu.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u012asum\u0101<\/h2>\n\n\n\n<p>Ja tav\u0101 WordPress instal\u0101cij\u0101 ir <strong>ACF Extended <= 0.9.2.1<\/strong>, priorit\u0101te ir vienk\u0101r\u0161a: <strong>atjaunot uz 0.9.2.2<\/strong> un p\u0101rbaud\u012bt, vai publiskaj\u0101s form\u0101s nav kart\u0113ta lietot\u0101ja loma. \u0160\u012b ir tie\u0161i t\u0101 tipa ievainojam\u012bba, kur viena konfigur\u0101cijas deta\u013ca var p\u0101rv\u0113rsties par pilnu admin piek\u013cuvi no anon\u012bma apmekl\u0113t\u0101ja.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1600\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1.png\" alt=\"ACF Extended lauku grupas piem\u0113rs ar user role ierobe\u017eojuma iestat\u012bjumu\" class=\"wp-image-157\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-300x188.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-1536x960.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-2048x1280.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-1-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Lomu lauks var izskat\u012bties ierobe\u017eots konfigur\u0101cij\u0101, bet ievainojamaj\u0101 versij\u0101 forma \u0161o ierobe\u017eojumu ne vienm\u0113r piem\u0113ro servera pus\u0113. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1599\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1.png\" alt=\"ACF Extended forma ar Create user darb\u012bbu un lauku kart\u0113\u0161anu\" class=\"wp-image-158\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-300x187.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-1536x959.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-2048x1279.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/19\/2026\/01\/acfe-2-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Riska punkts par\u0101d\u0101s, ja forma \u201cCreate user\/Update user\u201d kart\u0113 <code>role<\/code> un to var iesniegt no publiskas formas. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n<div class=\"references-section\">\n                <h2>Atsauces \/ Avoti<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/01\/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin<\/a><\/li><li><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/acf-extended\/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-via-insert-user-form-action\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended &lt;= 0.9.2.1 &#8212; Unauthenticated Privilege Escalation via Insert User Form Action<\/a><\/li><li><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2025-14533<\/a><\/li><li><a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended (WordPress.org plugin page)<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Ja tav\u0101 projekt\u0101 ACF Extended tiek izmantots lietot\u0101ju izveides\/atjaunin\u0101\u0161anas form\u0101m, viens nepareizi kart\u0113ts lauks var atv\u0113rt ce\u013cu anon\u012bmam uzbruc\u0113jam l\u012bdz administratora lomai. Zem\u0101k \u2014 kas tie\u0161i notika un ko p\u0101rbaud\u012bt sav\u0101 WordPress instal\u0101cij\u0101.<\/p>\n","protected":false},"author":53,"featured_media":156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[80,81,61,15,10],"class_list":["post-159","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-drosiba","tag-acf-extended","tag-cve","tag-ievainojamibas","tag-wordfence","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/comments?post=159"}],"version-history":[{"count":0,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/posts\/159\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/media\/156"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/media?parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/categories?post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/lv\/wp-json\/wp\/v2\/tags?post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}