{"id":153,"date":"2026-01-19T00:00:00","date_gmt":"2026-01-18T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/ro\/vulnerabilitate-critica-acf-extended-escaladare-privilegii-fara-autentificare-cve-2025-14533\/"},"modified":"2026-01-19T00:00:00","modified_gmt":"2026-01-18T23:00:00","slug":"vulnerabilitate-critica-acf-extended-escaladare-privilegii-fara-autentificare-cve-2025-14533","status":"publish","type":"post","link":"https:\/\/helloblog.io\/ro\/vulnerabilitate-critica-acf-extended-escaladare-privilegii-fara-autentificare-cve-2025-14533\/","title":{"rendered":"Vulnerabilitate critic\u0103 \u00een ACF Extended: escaladare de privilegii f\u0103r\u0103 autentificare (CVE-2025-14533)"},"content":{"rendered":"\n<p>Un advisory publicat de Wordfence atrage aten\u021bia asupra unei vulnerabilit\u0103\u021bi critice de tip <strong>Privilege Escalation<\/strong> \u00een pluginul <strong>Advanced Custom Fields: Extended<\/strong> (cunoscut ca <em>ACF Extended<\/em>, add-on pentru Advanced Custom Fields). Vorbim de un scenariu \u00een care un atacator <strong>neautentificat<\/strong> \u00ee\u0219i poate acorda rol de <strong>administrator<\/strong>, dac\u0103 pe site exist\u0103 un formular ACF Extended configurat \u00eentr-un anumit fel.<\/p>\n\n\n\n<p>Pluginul are peste <strong>100.000<\/strong> de instal\u0103ri active, iar problema este urm\u0103rit\u0103 ca <strong>CVE-2025-14533<\/strong>, cu scor <strong>CVSS 9.8 (Critical)<\/strong>. Versiunile afectate sunt <strong>p\u00e2n\u0103 la \u0219i inclusiv 0.9.2.1<\/strong>, iar remedierea a fost livrat\u0103 \u00een <strong>0.9.2.2<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ce este, concret, problema (pe \u00een\u021belesul unui dev WordPress)?<\/h2>\n\n\n\n<p>\u00cen ACF Extended po\u021bi construi formulare front-end (prin <em>Form Manager<\/em>) care execut\u0103 ac\u021biuni precum <strong>Create user<\/strong> \/ <strong>Update user<\/strong>. \u00cen mod normal, te-ai a\u0219tepta ca un c\u00e2mp \u201erole\u201d (rol) s\u0103 fie limitat la un set de roluri permise, mai ales c\u0103 pluginul ofer\u0103 o setare de tip <strong>\u201cAllow User Role\u201d<\/strong> la nivel de c\u00e2mp.<\/p>\n\n\n\n<p>\u00cen versiunile vulnerabile, \u00eens\u0103, restric\u021bia de la nivelul c\u00e2mpului nu este aplicat\u0103 corespunz\u0103tor c\u00e2nd formularul ruleaz\u0103 ac\u021biunea de creare utilizator. Astfel, dac\u0103 formularul mapeaz\u0103 un c\u00e2mp c\u0103tre <code>role<\/code>, un atacator poate trimite un payload care seteaz\u0103 rolul la <code>administrator<\/code> \u0219i poate ob\u021bine acces admin.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Detaliu important despre exploatare<\/h4>\n\n\n<p>Conform Wordfence, vulnerabilitatea devine critic\u0103 \u00een special pe site-urile care au un formular ACF Extended cu ac\u021biune \u201eCreate user\u201d sau \u201eUpdate user\u201d \u0219i \u00een care c\u00e2mpul <code>role<\/code> este mapat. Dac\u0103 nu ai astfel de formulare (sau nu mapezi rolul), suprafa\u021ba de atac e mult mai mic\u0103.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">De ce e o escaladare de privilegii at\u00e2t de periculoas\u0103 \u00een WordPress?<\/h2>\n\n\n\n<p>Un cont de administrator \u00een WordPress \u00eenseamn\u0103, practic, control complet: instalare de pluginuri\/teme, upload de fi\u0219iere, modific\u0103ri \u00een con\u021binut, configur\u0103ri de integrare, inclusiv posibilitatea de a introduce backdoor-uri (de exemplu printr-un plugin aparent \u201elegitim\u201d). \u00cen multe cazuri, compromiterea se propag\u0103 rapid: redirect-uri c\u0103tre site-uri mali\u021bioase, SEO spam, injectare de cod sau exfiltrare de date.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ce spune analiza tehnic\u0103: unde apare defectul?<\/h2>\n\n\n\n<p>Wordfence indic\u0103 faptul c\u0103 ACF Extended folose\u0219te o func\u021bie <code>insert_user()<\/code> \u00een clasa <code>acfe_module_form_action_user<\/code> pentru a construi argumentele \u0219i a apela <code>wp_insert_user($args)<\/code>. Problema descris\u0103: \u00een fluxul de \u201einsert user\u201d, rolurile nu sunt restric\u021bionate corespunz\u0103tor, ceea ce permite injectarea rolului <code>administrator<\/code> \u00een datele de \u00eenregistrare.<\/p>\n\n\n\n<p>Cu alte cuvinte, <em>form action<\/em>-ul trateaz\u0103 c\u00e2mpurile mapate ca input valid f\u0103r\u0103 s\u0103 aplice o whitelist strict\u0103 pentru roluri, chiar dac\u0103 UI-ul sugereaz\u0103 c\u0103 exist\u0103 o limitare (prin setarea \u201eAllow User Role\u201d).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Un fragment relevant (din analiza public\u0103)<\/h3>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Fragment prezentat \u00een analiza Wordfence: ac\u021biunea de tip 'insert_user'\n\/\/ ajunge s\u0103 apeleze wp_insert_user($args)\n\ncase 'insert_user':{\n    if(!isset($args['user_pass'])){\n        $args['user_pass'] = '';\n    }\n\n    $user_id = wp_insert_user($args);\n}\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Fragment prezentat \u00een analiza Wordfence: ac\u021biunea de tip 'insert_user'<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ ajunge s\u0103 apeleze wp_insert_user($args)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">case<\/span><span style=\"color:#9ECBFF\"> 'insert_user'<\/span><span style=\"color:#E1E4E8\">:{<\/span><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">    if<\/span><span style=\"color:#E1E4E8\">(<\/span><span style=\"color:#F97583\">!<\/span><span style=\"color:#79B8FF\">isset<\/span><span style=\"color:#E1E4E8\">($args[<\/span><span style=\"color:#9ECBFF\">'user_pass'<\/span><span style=\"color:#E1E4E8\">])){<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">        $args[<\/span><span style=\"color:#9ECBFF\">'user_pass'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#9ECBFF\"> ''<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">    $user_id <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#B392F0\"> wp_insert_user<\/span><span style=\"color:#E1E4E8\">($args);<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Cine este afectat \u0219i ce versiuni trebuie verificate?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Plugin afectat: Advanced Custom Fields: Extended (slug: <code>acf-extended<\/code>)<\/li>\n\n\n<li>Versiuni vulnerabile: <strong><= 0.9.2.1<\/strong><\/li>\n\n\n<li>Versiune cu fix: <strong>0.9.2.2<\/strong><\/li>\n\n\n<li>CVE: <strong>CVE-2025-14533<\/strong> (CVSS 9.8)<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Pa\u0219i practici de remediere (checklist pentru un site WordPress)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li><strong>Actualizeaz\u0103 ACF Extended la 0.9.2.2<\/strong> (sau mai nou, dac\u0103 exist\u0103) c\u00e2t mai rapid.<\/li>\n\n\n<li><strong>Inventariaz\u0103 formularele ACF Extended<\/strong>: caut\u0103 ac\u021biuni de tip \u201eCreate user\u201d \/ \u201eUpdate user\u201d.<\/li>\n\n\n<li><strong>Verific\u0103 maparea c\u00e2mpurilor<\/strong>: dac\u0103 exist\u0103 c\u00e2mp mapat c\u0103tre <code>role<\/code>, trateaz\u0103 situa\u021bia ca prioritate 0.<\/li>\n\n\n<li><strong>Restr\u00e2nge expunerea formularelor<\/strong>: dac\u0103 e posibil, pune formularele de user management \u00een spatele autentific\u0103rii sau adaug\u0103 valid\u0103ri suplimentare.<\/li>\n\n\n<li><strong>Aplic\u0103 un WAF\/Firewall<\/strong>: Wordfence a livrat o regul\u0103 de firewall (pentru clien\u021bii Premium\/Care\/Response mai devreme, iar pentru Free mai t\u00e2rziu). Chiar \u0219i cu patch, un WAF poate opri pattern-uri comune de atac.<\/li>\n\n\n<li><strong>Audit rapid post-update<\/strong>: verific\u0103 lista de utilizatori pentru conturi admin necunoscute \u0219i logurile de autentificare\/creare cont.<\/li>\n\n<\/ol>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">De re\u021binut despre protec\u021bia Wordfence<\/h4>\n\n\n<p>Conform anun\u021bului Wordfence, utilizatorii Wordfence Premium\/Care\/Response au primit o regul\u0103 de firewall pe 11 decembrie 2025, iar utilizatorii Wordfence Free au primit aceea\u0219i protec\u021bie pe 10 ianuarie 2026.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Timeline de divulgare (pe scurt)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>10 decembrie 2025: vulnerabilitatea a fost raportat\u0103 prin Bug Bounty Program.<\/li>\n\n\n<li>11 decembrie 2025: raport validat + detalii trimise c\u0103tre vendor prin portalul Wordfence.<\/li>\n\n\n<li>14 decembrie 2025: vendorul a publicat versiunea fixat\u0103 <strong>0.9.2.2<\/strong>.<\/li>\n\n\n<li>10 ianuarie 2026: regula ajunge \u0219i \u00een Wordfence Free.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Imagini: cum arat\u0103 configurarea tipic\u0103 (din analiza Wordfence)<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1600\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1.png\" alt=\"ACF Extended: setare de c\u00e2mp pentru rol (Allow User Role) \u00eentr-un field group\" class=\"wp-image-151\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-300x188.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-1536x960.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-2048x1280.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-1-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">\u00cen ACF Extended po\u021bi limita rolurile dintr-o setare de tip \u201eAllow User Role\u201d, dar problema apare c\u00e2nd restric\u021bia nu este aplicat\u0103 \u00een form action-ul de creare utilizator. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1599\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1.png\" alt=\"ACF Extended: formular cu ac\u021biune de tip Create user \u0219i mapare de c\u00e2mpuri\" class=\"wp-image-152\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-300x187.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-1536x959.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-2048x1279.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/acfe-2-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Formular ACF Extended configurat cu ac\u021biune \u201eCreate user\u201d, unde c\u00e2mpurile (inclusiv rolul) pot fi mapate c\u0103tre datele utilizatorului. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Concluzie<\/h2>\n\n\n\n<p>Vulnerabilitatea din ACF Extended (CVE-2025-14533) e un exemplu clasic de \u201einput de formular care ajunge \u00een capabilit\u0103\u021bi\u201d f\u0103r\u0103 o validare strict\u0103. Chiar dac\u0103 nu toate site-urile sunt exploatabile (depinde de existen\u021ba unui formular de creare\/actualizare utilizator cu <code>role<\/code> mapat), scorul critic e justificat: \u00een scenariul vulnerabil, atacul se face f\u0103r\u0103 autentificare \u0219i duce direct la admin.<\/p>\n\n\n\n<p>Ac\u021biunea recomandat\u0103 este simpl\u0103: <strong>update la 0.9.2.2<\/strong> \u0219i o verificare rapid\u0103 a formularelor \u0219i a conturilor de administrator din site.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>Referin\u021be \/ Surse<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/01\/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin<\/a><\/li><li><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/acf-extended\/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-via-insert-user-form-action\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended &lt;= 0.9.2.1 &#8212; Unauthenticated Privilege Escalation via Insert User Form Action<\/a><\/li><li><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2025-14533<\/a><\/li><li><a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended (WordPress.org plugin page)<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Dac\u0103 folose\u0219ti Advanced Custom Fields: Extended (ACF Extended) pentru formulare de creare\/actualizare utilizatori, un bug critic poate permite unui atacator neautentificat s\u0103 ajung\u0103 administrator. Patch-ul exist\u0103, dar impactul depinde de cum e configurat formularul.<\/p>\n","protected":false},"author":30,"featured_media":150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[75,76,59,11,10],"class_list":["post-153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securitate","tag-acf-extended","tag-cve","tag-plugin-uri","tag-securitate","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/comments?post=153"}],"version-history":[{"count":0,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts\/153\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/media\/150"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/media?parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/categories?post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/tags?post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}