{"id":133,"date":"2026-01-19T00:00:00","date_gmt":"2026-01-18T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/sk\/kriticka-eskalacia-prav-v-acf-extended-kedy-sa-z-registracneho-formulara-stane-admin-vstup\/"},"modified":"2026-01-19T00:00:00","modified_gmt":"2026-01-18T23:00:00","slug":"kriticka-eskalacia-prav-v-acf-extended-kedy-sa-z-registracneho-formulara-stane-admin-vstup","status":"publish","type":"post","link":"https:\/\/helloblog.io\/sk\/kriticka-eskalacia-prav-v-acf-extended-kedy-sa-z-registracneho-formulara-stane-admin-vstup\/","title":{"rendered":"Kritick\u00e1 eskal\u00e1cia pr\u00e1v v ACF Extended: kedy sa z registra\u010dn\u00e9ho formul\u00e1ra stane admin vstup"},"content":{"rendered":"\n<p>Ak na WordPress webe sklad\u00e1\u0161 registra\u010dn\u00e9 alebo profilov\u00e9 formul\u00e1re cez ACF stack, pravdepodobne pozn\u00e1\u0161 doplnok <strong>Advanced Custom Fields: Extended<\/strong> (ACF Extended) \u2013 roz\u0161\u00edrenie k ACF, ktor\u00e9 prid\u00e1va \u010fal\u0161ie polia, form manager a akcie nad formul\u00e1rmi. Pr\u00e1ve t\u00e1to \u201eform\u201c \u010das\u0165 bola pod\u013ea zverejnen\u00e9ho advisora zdrojom kritickej zranite\u013enosti, ktor\u00e1 pri konkr\u00e9tnom nastaven\u00ed umo\u017enila <strong>neautentifikovan\u00e9mu<\/strong> \u00fato\u010dn\u00edkovi pov\u00fd\u0161i\u0165 si \u00fa\u010det na administr\u00e1tora.<\/p>\n\n\n\n<p>Dobr\u00e1 spr\u00e1va: fix existuje. Zl\u00e1 spr\u00e1va: ak si mal na webe formul\u00e1r s akciou na vytv\u00e1ranie\/aktualiz\u00e1ciu pou\u017e\u00edvate\u013ea a z\u00e1rove\u0148 si mapoval pole roly, riziko je re\u00e1lne. V tomto \u010dl\u00e1nku rozober\u00e1m, \u010do sa stalo, koho sa to t\u00fdka a \u010do skontrolova\u0165, aby si podobn\u00fd probl\u00e9m nevytvoril aj inde.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u010co je jadro probl\u00e9mu: \u201ePrivilege escalation\u201c cez rolu pou\u017e\u00edvate\u013ea<\/h2>\n\n\n\n<p><strong>Privilege escalation<\/strong> (eskal\u00e1cia opr\u00e1vnen\u00ed) je trieda ch\u00fdb, pri ktorej sa pou\u017e\u00edvate\u013e dostane k vy\u0161\u0161\u00edm pr\u00e1vam, ne\u017e mu patria. V tomto pr\u00edpade ide o extr\u00e9m: z \u201en\u00e1v\u0161tevn\u00edka\u201c (bez prihl\u00e1senia) na <strong>administr\u00e1tora<\/strong>.<\/p>\n\n\n\n<p>Pod\u013ea zverejnen\u00fdch detailov sa zranite\u013enos\u0165 t\u00fdkala doplnku ACF Extended do verzie <strong>0.9.2.1<\/strong> vr\u00e1tane a je evidovan\u00e1 ako <strong>CVE-2025-14533<\/strong> s hodnoten\u00edm <strong>CVSS 9.8 (Critical)<\/strong>. Opraven\u00e1 verzia je <strong>0.9.2.2<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kedy je web skuto\u010dne zranite\u013en\u00fd (a pre\u010do to nemus\u00ed by\u0165 ka\u017ed\u00fd, kto m\u00e1 plugin)<\/h2>\n\n\n\n<p>Toto nie je typ chyby, ktor\u00e1 sa d\u00e1 automaticky zneu\u017ei\u0165 na ka\u017edej in\u0161tal\u00e1cii len preto, \u017ee plugin existuje. Kriticky zasiahnut\u00e9 s\u00fa hlavne weby, ktor\u00e9:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>pou\u017e\u00edvaj\u00fa v ACF Extended <strong>Form<\/strong> s akciou typu <strong>Create user (insert_user)<\/strong> alebo <strong>Update user<\/strong>,<\/li>\n\n\n<li>a v r\u00e1mci mapovania pol\u00ed do akcie maj\u00fa namapovan\u00e9 aj pole <strong>role<\/strong> (rola pou\u017e\u00edvate\u013ea).<\/li>\n\n<\/ul>\n\n\n\n<p>V praxi to b\u00fdva napr\u00edklad vlastn\u00fd registra\u010dn\u00fd formul\u00e1r alebo \u201eedit profil\u201c formul\u00e1r, kde si developer dovol\u00ed pou\u017e\u00edvate\u013eovi vybra\u0165 rolu (alebo rola prich\u00e1dza cez skryt\u00e9 pole). Advisory priamo spom\u00edna, \u017ee zneu\u017eitie je mo\u017en\u00e9 vtedy, ke\u010f je <code>role<\/code> namapovan\u00e9 na custom field.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">D\u00f4le\u017eit\u00fd detail<\/h4>\n\n\n<p>Aj ke\u010f si v ACF field group pri poli roly nastav\u00ed\u0161 obmedzenie typu \u201eAllow User Role\u201c, v zranite\u013enej verzii sa toto obmedzenie pod\u013ea anal\u00fdzy neaplikovalo pri spracovan\u00ed formul\u00e1ra. \u00dato\u010dn\u00edk mohol posla\u0165 rolu \u201eadministrator\u201c bez oh\u013eadu na UI nastavenia.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Ako to fungovalo technicky: insert_user() a nekontrolovan\u00e9 argumenty<\/h2>\n\n\n\n<p>Wordfence vo svojej technickej anal\u00fdze popisuje, \u017ee ACF Extended spracov\u00e1va akciu vytvorenia pou\u017e\u00edvate\u013ea cez funkciu <code>insert_user()<\/code> v triede <code>acfe_module_form_action_user<\/code>. Z <code>$save<\/code> (namapovan\u00e9 polia z formul\u00e1ra) sa poskladaj\u00fa argumenty a odovzdaj\u00fa do <code>wp_insert_user()<\/code>.<\/p>\n\n\n\n<p>Probl\u00e9m bol v tom, \u017ee rola nebola dostato\u010dne obmedzen\u00e1 \u2013 teda plugin nepresadil whitelist\/valid\u00e1ciu rol\u00ed pre kontext \u201eregistr\u00e1cia cez formul\u00e1r\u201c a umo\u017enil posla\u0165 hodnotu <code>administrator<\/code>.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;?php\n\/\/ Konceptu\u00e1lne (zjednodu\u0161en\u00e9) vysvetlenie, nie k\u00f3pia p\u00f4vodn\u00e9ho k\u00f3du:\n\/\/ Ak plugin zoberie hodnoty z formul\u00e1ra a bez valid\u00e1cie ich d\u00e1 do wp_insert_user(),\n\/\/ \u00fato\u010dn\u00edk m\u00f4\u017ee posla\u0165 rolu 'administrator'.\n\n$args = [\n  'user_login' =&gt; $_POST['username'] ?? null,\n  'user_email' =&gt; $_POST['email'] ?? null,\n  'user_pass'  =&gt; $_POST['password'] ?? '',\n  'role'       =&gt; $_POST['role'] ?? 'subscriber', \/\/ &lt;- k\u013e\u00fa\u010dov\u00fd probl\u00e9m, ak nie je whitelist\n];\n\nwp_insert_user($args);\n\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#F97583\">&#x3C;?<\/span><span style=\"color:#79B8FF\">php<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ Konceptu\u00e1lne (zjednodu\u0161en\u00e9) vysvetlenie, nie k\u00f3pia p\u00f4vodn\u00e9ho k\u00f3du:<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ Ak plugin zoberie hodnoty z formul\u00e1ra a bez valid\u00e1cie ich d\u00e1 do wp_insert_user(),<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ \u00fato\u010dn\u00edk m\u00f4\u017ee posla\u0165 rolu 'administrator'.<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">$args <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#E1E4E8\"> [<\/span><\/span>\n<span class=\"line\"><span style=\"color:#9ECBFF\">  'user_login'<\/span><span style=\"color:#F97583\"> =><\/span><span style=\"color:#E1E4E8\"> $_POST[<\/span><span style=\"color:#9ECBFF\">'username'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#79B8FF\"> null<\/span><span style=\"color:#E1E4E8\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color:#9ECBFF\">  'user_email'<\/span><span style=\"color:#F97583\"> =><\/span><span style=\"color:#E1E4E8\"> $_POST[<\/span><span style=\"color:#9ECBFF\">'email'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#79B8FF\"> null<\/span><span style=\"color:#E1E4E8\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color:#9ECBFF\">  'user_pass'<\/span><span style=\"color:#F97583\">  =><\/span><span style=\"color:#E1E4E8\"> $_POST[<\/span><span style=\"color:#9ECBFF\">'password'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#9ECBFF\"> ''<\/span><span style=\"color:#E1E4E8\">,<\/span><\/span>\n<span class=\"line\"><span style=\"color:#9ECBFF\">  'role'<\/span><span style=\"color:#F97583\">       =><\/span><span style=\"color:#E1E4E8\"> $_POST[<\/span><span style=\"color:#9ECBFF\">'role'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#9ECBFF\"> 'subscriber'<\/span><span style=\"color:#E1E4E8\">, <\/span><span style=\"color:#6A737D\">\/\/ &#x3C;- k\u013e\u00fa\u010dov\u00fd probl\u00e9m, ak nie je whitelist<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">];<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#B392F0\">wp_insert_user<\/span><span style=\"color:#E1E4E8\">($args);<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Pointa je jednoduch\u00e1: ak sa rola spr\u00e1va ako be\u017en\u00e9 \u201emapovate\u013en\u00e9\u201c pole bez server-side valid\u00e1cie, UI obmedzenia (select s povolen\u00fdmi hodnotami) ti nepom\u00f4\u017eu. \u00dato\u010dn\u00edk nehr\u00e1 pod\u013ea UI \u2013 po\u0161le vlastn\u00fd request.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dopad: od admin \u00fa\u010dtu po \u00fapln\u00e9 prevzatie webu<\/h2>\n\n\n\n<p>Z\u00edska\u0165 administr\u00e1torsk\u00fd \u00fa\u010det vo WordPress znamen\u00e1 v praxi pln\u00fd pr\u00edstup k spr\u00e1ve webu. Advisory explicitne uv\u00e1dza typick\u00e9 n\u00e1sledky:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>nahratie \u0161kodliv\u00e9ho pluginu alebo t\u00e9my (napr. ZIP s backdoorom),<\/li>\n\n\n<li>\u00faprava obsahu str\u00e1nok a \u010dl\u00e1nkov (spam, SEO poison, presmerovania),<\/li>\n\n\n<li>\u010fal\u0161ie vytv\u00e1ranie pou\u017e\u00edvate\u013eov a zmeny nastaven\u00ed.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u010co urobi\u0165 hne\u010f: aktualiz\u00e1cia a r\u00fdchly audit formul\u00e1rov<\/h2>\n\n\n\n<p>Najr\u00fdchlej\u0161ia mitig\u00e1cia je aktualizova\u0165 ACF Extended na opraven\u00fa verziu. Pod\u013ea advisora je opraven\u00e1 verzia <strong>0.9.2.2<\/strong>.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>Skontroluj verziu doplnku <strong>Advanced Custom Fields: Extended<\/strong> (slug <code>acf-extended<\/code>).<\/li>\n\n\n<li>Ak je verzia <strong>\u2264 0.9.2.1<\/strong>, aktualizuj na <strong>0.9.2.2<\/strong> alebo nov\u0161iu.<\/li>\n\n\n<li>Prejdi si ACF Extended <strong>Forms<\/strong> a n\u00e1jdi akcie typu <strong>Create user<\/strong> alebo <strong>Update user<\/strong>.<\/li>\n\n\n<li>Over, \u010di sa do akcie mapuje pole <code>role<\/code> (\u010di u\u017e vidite\u013en\u00e9, select, alebo hidden). Ak \u00e1no, ber to ako vysok\u00e9 riziko.<\/li>\n\n\n<li>Ak rolu nepotrebuje\u0161, odstr\u00e1\u0148 mapovanie <code>role<\/code> z formul\u00e1ra (aj po aktualiz\u00e1cii je to dobr\u00fd hardening).<\/li>\n\n<\/ol>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Praktick\u00e1 z\u00e1sada pre registr\u00e1cie<\/h4>\n\n\n<p>Rolu pri registr\u00e1cii nastavuj server-side (napr. v\u017edy \u201esubscriber\u201c alebo vlastn\u00e1 rola) a nikdy ju nenechaj prich\u00e1dza\u0165 z klienta ako \u201ed\u00f4veryhodn\u00e1\u201c hodnota. Aj select s obmedzen\u00fdmi mo\u017enos\u0165ami sa d\u00e1 ob\u00eds\u0165.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">\u010casov\u00e1 os zverejnenia a ochrana cez Wordfence<\/h2>\n\n\n\n<p>Wordfence uv\u00e1dza, \u017ee zranite\u013enos\u0165 bola nahl\u00e1sen\u00e1 10. decembra 2025 a overen\u00e1 11. decembra 2025. Vendor pod\u013ea timeline vydal patch 14. decembra 2025 (verzia 0.9.2.2).<\/p>\n\n\n\n<p>Z poh\u013eadu mitig\u00e1cie cez WAF (web application firewall) Wordfence nasadil firewall rule pre platen\u00e9 produkty (Premium\/Care\/Response) 11. decembra 2025 a pre Wordfence Free 10. janu\u00e1ra 2026. Toto je fajn \u201esafety net\u201c, ale pri takto kritickej chybe sa neoplat\u00ed spolieha\u0165 len na WAF \u2013 patch je z\u00e1klad.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pou\u010denie pre developerov: UI obmedzenia nie s\u00fa bezpe\u010dnostn\u00e1 kontrola<\/h2>\n\n\n\n<p>ACF Extended m\u00e1 \u0161ikovn\u00e9 nastavenia pol\u00ed, ktor\u00e9 \u0165a zv\u00e1dzaj\u00fa veri\u0165, \u017ee \u201eke\u010f som to obmedzil v administr\u00e1cii, tak to plat\u00ed\u201c. Bez server-side valid\u00e1cie je to v\u0161ak iba UX. V momente, ke\u010f cez form builder vytv\u00e1ra\u0161 akcie typu create\/update user, pracuje\u0161 s jednou z najcitlivej\u0161\u00edch \u010dast\u00ed WordPressu: identitami a rolami.<\/p>\n\n\n\n<p>Ak niekde mapuje\u0161 polia do <code>wp_insert_user()<\/code> alebo <code>wp_update_user()<\/code>, ber rolu, capabilities a podobn\u00e9 atrib\u00faty ako <strong>nepr\u00edpustn\u00fd vstup z klienta<\/strong>. Aj ke\u010f ho posiela \u201elen tvoj formul\u00e1r\u201c.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Zhrnutie<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>ACF Extended (Advanced Custom Fields: Extended) mal kritick\u00fa zranite\u013enos\u0165 <strong>CVE-2025-14533<\/strong> (CVSS 9.8), ktor\u00e1 umo\u017enila <strong>neautentifikovan\u00fa eskal\u00e1ciu pr\u00e1v<\/strong> pri ur\u010ditom nastaven\u00ed formul\u00e1ra.<\/li>\n\n\n<li>Zasiahnut\u00e9 verzie s\u00fa <strong>\u2264 0.9.2.1<\/strong>, oprava je v <strong>0.9.2.2<\/strong>.<\/li>\n\n\n<li>Riziko je najm\u00e4 na weboch, kde je pou\u017eit\u00e1 akcia <strong>Create user\/Update user<\/strong> a do nej je mapovan\u00e9 pole <strong>role<\/strong>.<\/li>\n\n\n<li>Najd\u00f4le\u017eitej\u0161ie je aktualizova\u0165 plugin a n\u00e1sledne skontrolova\u0165 formy, aby rola nebola nastavite\u013en\u00e1 z klienta.<\/li>\n\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1600\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1.png\" alt=\"Nastavenie po\u013ea roly pou\u017e\u00edvate\u013ea v ACF Extended s mo\u017enos\u0165ou obmedzenia povolen\u00fdch rol\u00ed\" class=\"wp-image-131\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-300x188.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-1536x960.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-2048x1280.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-1-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">ACF Extended umo\u017e\u0148uje obmedzi\u0165 roly v nastaveniach po\u013ea, no v zranite\u013enej verzii sa obmedzenie pod\u013ea advisora nepresadilo pri spracovan\u00ed formul\u00e1ra. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1599\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1.png\" alt=\"Form action v ACF Extended pre vytvorenie pou\u017e\u00edvate\u013ea s mapovan\u00edm pol\u00ed\" class=\"wp-image-132\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-300x187.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-1536x959.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-2048x1279.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/16\/2026\/01\/acfe-2-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Pri akcii \u201eCreate user\u201c sa polia z formul\u00e1ra mapuj\u00fa do \u00fadajov pou\u017e\u00edvate\u013ea \u2013 pr\u00e1ve tu vznikol pri role probl\u00e9m. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n<div class=\"references-section\">\n                <h2>Referencie \/ Zdroje<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/01\/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin<\/a><\/li><li><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/acf-extended\/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-via-insert-user-form-action\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended &lt;= 0.9.2.1 &#8212; Unauthenticated Privilege Escalation via Insert User Form Action<\/a><\/li><li><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2025-14533<\/a><\/li><li><a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>ACF Extended m\u00e1 opraven\u00fa kritick\u00fa chybu, ktor\u00e1 umo\u017e\u0148ovala neautentifikovan\u00e9mu \u00fato\u010dn\u00edkovi z\u00edska\u0165 rolu administr\u00e1tora cez nespr\u00e1vne naviazan\u00e9 pole \u201erole\u201c vo formul\u00e1ri. Ak pou\u017e\u00edva\u0161 \u201eCreate user\/Update user\u201c akcie, aktualiz\u00e1cia na 0.9.2.2 je priorita.<\/p>\n","protected":false},"author":37,"featured_media":130,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[81,82,15,10,62],"class_list":["post-133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-acf-extended","tag-cve","tag-wordfence","tag-wordpress","tag-zranitelnost"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/posts\/133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/users\/37"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/comments?post=133"}],"version-history":[{"count":0,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/posts\/133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/media\/130"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/media?parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/categories?post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/sk\/wp-json\/wp\/v2\/tags?post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}