{"id":160,"date":"2026-01-19T00:00:00","date_gmt":"2026-01-18T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/sl\/kriticna-ranljivost-acf-extended-privilege-escalation\/"},"modified":"2026-01-19T00:00:00","modified_gmt":"2026-01-18T23:00:00","slug":"kriticna-ranljivost-acf-extended-privilege-escalation","status":"publish","type":"post","link":"https:\/\/helloblog.io\/sl\/kriticna-ranljivost-acf-extended-privilege-escalation\/","title":{"rendered":"Kriti\u010dna ranljivost v ACF Extended: kako lahko neavtoriziran napadalec pridobi admin pravice (in koga to dejansko ogro\u017ea)"},"content":{"rendered":"\n<p>V ekosistemu WordPressa so obrazci za registracijo ali upravljanje uporabnikov eden izmed najpogostej\u0161ih \u201chitrih zmag\u201d, ko gradi\u0161 prilagojen frontend. Ravno zato so napake v logiki dodeljevanja vlog posebej nevarne: \u010de napadalec lahko vpliva na <code>role<\/code>, ima potencialno direkten skok do administracije.<\/p>\n\n\n\n<p>Wordfence je objavil poro\u010dilo o kriti\u010dni ranljivosti (CVSS 9.8) v vti\u010dniku <a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\">Advanced Custom Fields: Extended<\/a>, dodatku za Advanced Custom Fields (ACF). Ranljivost je bila odpravljena v razli\u010dici <strong>0.9.2.2<\/strong>, prizadete pa so vse razli\u010dice <strong>do vklju\u010dno 0.9.2.1<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kaj je ranljivost in zakaj je ozna\u010dena kot \u201cCritical\u201d<\/h2>\n\n\n\n<p>Gre za <strong>Privilege Escalation<\/strong> (dvig privilegijev) brez avtentikacije: neavtoriziran napadalec lahko prek dolo\u010denega \u201cuser action\u201d obrazca nastavi svojo vlogo na <strong>administrator<\/strong>. Po navedbah Wordfenca je vzrok v tem, da funkcija <code>insert_user()<\/code> v modulu za obrazce ne omeji, katere vloge so dovoljene ob registraciji\/ustvarjanju uporabnika.<\/p>\n\n\n\n<p>Pomembna podrobnost: ranljivost se lahko izkoristi <strong>le, \u010de je polje <code>role<\/code> mapirano na custom field<\/strong> v obrazcu. Torej ne gre za \u201cvsa spleti\u0161\u010da s pluginom so takoj kompromitirana\u201d, ampak za zelo specifi\u010den (in \u017eal realen) na\u010din uporabe, ko na frontendu ponudi\u0161 obrazec, ki ustvarja uporabnike.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Kdaj si v rizi\u010dni skupini?<\/h4>\n\n\n<p>\u010ce ima\u0161 v ACF Extended obrazec z akcijo \u201cCreate user\u201d ali \u201cUpdate user\u201d in je v tem obrazcu vklju\u010deno ter mapirano polje za vlogo (role), si v kriti\u010dno prizadetem scenariju. \u010ce tega nima\u0161, je verjetnost izkori\u0161\u010danja bistveno manj\u0161a.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Kaj lahko napadalec naredi z admin dostopom<\/h2>\n\n\n\n<p>Ko napadalec pridobi administratorske pravice v WordPressu, gre praviloma za <strong>popolno kompromitacijo strani<\/strong>. Administratorski uporabnik lahko:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>name\u0161\u010da ali nalaga vti\u010dnike in teme (tudi zlonamerne ZIP datoteke z backdoorom)<\/li>\n\n\n<li>spreminja vsebino (preusmeritve na phishing strani, injekcija spama)<\/li>\n\n\n<li>dodaja nove uporabnike in trajno utrdi dostop<\/li>\n\n\n<li>spreminja konfiguracijo, integracije in API klju\u010de, \u010de so dostopni prek admina<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tehni\u010dni kontekst: zakaj nastavitve omejitve vloge niso pomagale<\/h2>\n\n\n\n<p>ACF Extended omogo\u010da, da v field group doda\u0161 polja za uporabni\u0161ke podatke (npr. email, username, password, role). Pri polju <code>role<\/code> obstaja nastavitev v slogu \u201cAllow User Role\u201d, ki bi pri\u010dakovano omejila dovoljene vloge.<\/p>\n\n\n\n<p>Problem, ki ga izpostavi Wordfence: ta omejitev v ranljivih razli\u010dicah <strong>ni bila dosledno uveljavljena na nivoju obrazca<\/strong>. \u010ce si torej imel obrazec, ki je ustvarjal uporabnika, in je bil <code>role<\/code> del poslanih podatkov (mapped field), je napadalec lahko poslal vrednost <code>administrator<\/code> ne glede na UI\/field nastavitve.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1600\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1.png\" alt=\"Nastavitev polja role v ACF Extended, kjer se lahko omeji dovoljene uporabni\u0161ke vloge\" class=\"wp-image-158\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-300x188.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-1536x960.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-2048x1280.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-1-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">V ACF Extended obstajajo nastavitve za omejevanje vlog, a ranljivost je nastala, ker se omejitve niso uveljavile pri obdelavi obrazca. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2560\" height=\"1599\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1.png\" alt=\"Primer ACF Extended obrazca z akcijo Create user in mapiranjem polj\" class=\"wp-image-159\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1.png 2560w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-300x187.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-1024x640.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-768x480.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-1536x959.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-2048x1279.png 2048w, https:\/\/helloblog.io\/app\/uploads\/sites\/17\/2026\/01\/acfe-2-scaled-1-400x250.png 400w\" sizes=\"auto, (max-width: 2560px) 100vw, 2560px\" \/><figcaption class=\"wp-element-caption\">Obrazec z akcijo \u201cCreate user\u201d lahko mapira polja na uporabni\u0161ke atribute \u2013 tu je klju\u010dna to\u010dka, \u010de je mapirano tudi polje role. \u2014 <em>Forr\u00e1s: Wordfence.com<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Kaj mora\u0161 narediti takoj (prakti\u010den checklist)<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>Posodobi vti\u010dnik Advanced Custom Fields: Extended na <strong>0.9.2.2<\/strong> (ali novej\u0161o, \u010de je \u017ee na voljo).<\/li>\n\n\n<li>Preveri, ali na strani uporablja\u0161 ACF Extended obrazce z akcijo <strong>Create user<\/strong> ali <strong>Update user<\/strong>.<\/li>\n\n\n<li>\u010ce obrazec obstaja: preveri, ali je kjerkoli mapirano polje za vlogo (<code>role<\/code>). \u010ce tega ne potrebuje\u0161, ga odstrani iz obrazca oziroma mappinga.<\/li>\n\n\n<li>\u010ce vlogo potrebuje\u0161: poskrbi, da jo dolo\u010da stre\u017eni\u0161ka logika (backend) in ne uporabni\u0161ki vnos. V praksi: na frontendu ne izpostavljaj role kot input, temve\u010d jo nastavi fiksno (npr. subscriber) oziroma jo izra\u010dunaj na podlagi poslovnih pravil.<\/li>\n\n\n<li>Preglej uporabnike: poi\u0161\u010di sumljive na novo ustvarjene admin ra\u010dune in preveri \u010dasovni okvir med zadnjimi posodobitvami ter dostopi.<\/li>\n\n\n<li>\u010ce uporablja\u0161 Wordfence: upo\u0161tevaj, da so Premium\/Care\/Response uporabniki dobili WAF pravilo 11. 12. 2025, uporabniki brezpla\u010dne razli\u010dice pa 10. 1. 2026 (po objavi). Kljub temu posodobitev vti\u010dnika ostaja primarni korak.<\/li>\n\n<\/ol>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Zakaj je \u201codstrani role iz obrazca\u201d dobra obramba<\/h4>\n\n\n<p>Dodeljevanje vlog je avtorizacijska odlo\u010ditev. \u010cim role preda\u0161 klientu (frontend forma), si odvisen od pravilnega uveljavljanja omejitev na stre\u017eniku. Varnej\u0161i vzorec je, da vloga nikoli ne pride iz uporabni\u0161kega vnosa.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Identifikatorji ranljivosti in prizadete razli\u010dice<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>CVE: <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\">CVE-2025-14533<\/a><\/li>\n\n\n<li>Ocena: <strong>CVSS 9.8 (Critical)<\/strong><\/li>\n\n\n<li>Prizadete razli\u010dice: <strong>Advanced Custom Fields: Extended <= 0.9.2.1<\/strong><\/li>\n\n\n<li>Popravljeno v: <strong>0.9.2.2<\/strong><\/li>\n\n\n<li>Vti\u010dnik (slug): <a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\">acf-extended<\/a><\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u010casovnica razkritja (po podatkih Wordfenca)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>10. 12. 2025: prijava ranljivosti prek Wordfence Bug Bounty programa<\/li>\n\n\n<li>11. 12. 2025: validacija in potrditev PoC; izdano WAF pravilo za Premium\/Care\/Response<\/li>\n\n\n<li>11. 12. 2025: podrobnosti poslane razvijalcu prek Wordfence Vulnerability Management Portal<\/li>\n\n\n<li>14. 12. 2025: razvijalec potrdi in izda popravek; izide razli\u010dica 0.9.2.2<\/li>\n\n\n<li>10. 1. 2026: enako WAF pravilo dobijo uporabniki Wordfence Free<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Povzetek<\/h2>\n\n\n\n<p>ACF Extended je v ranljivih razli\u010dicah omogo\u010dal scenarij, kjer lahko neavtoriziran napadalec prek obrazca za ustvarjanje\/posodabljanje uporabnika nastavi vlogo na <code>administrator<\/code> \u2013 \u010de je bil <code>role<\/code> mapiran kot custom field. Popravek je na voljo v razli\u010dici <strong>0.9.2.2<\/strong>, zato je najhitrej\u0161i in najbolj smiseln ukrep posodobitev, nato pa \u0161e pregled, ali sploh kje izpostavlja\u0161 vloge prek frontend obrazcev.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>Reference \/ Viri<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/www.wordfence.com\/blog\/2026\/01\/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Advanced Custom Fields: Extended WordPress Plugin<\/a><\/li><li><a href=\"https:\/\/wordpress.org\/plugins\/acf-extended\/\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended<\/a><\/li><li><a href=\"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/acf-extended\/advanced-custom-fields-extended-0921-unauthenticated-privilege-escalation-via-insert-user-form-action\" target=\"_blank\" rel=\"noopener noreferrer\">Advanced Custom Fields: Extended &lt;= 0.9.2.1 &#8212; Unauthenticated Privilege Escalation via Insert User Form Action<\/a><\/li><li><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14533\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2025-14533<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>\u010ce na WordPress strani uporablja\u0161 Advanced Custom Fields: Extended za obrazce, ki ustvarjajo ali posodabljajo uporabnike, je \u010das za hiter pregled nastavitev in posodobitev. Kriti\u010dna ranljivost omogo\u010da dvig privilegijev do administratorja v specifi\u010dnem scenariju konfiguracije.<\/p>\n","protected":false},"author":45,"featured_media":157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[78,79,11,71,10],"class_list":["post-160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-varnost","tag-acf-extended","tag-cve","tag-varnost","tag-vticniki","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/posts\/160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/users\/45"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/comments?post=160"}],"version-history":[{"count":0,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/posts\/160\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/media\/157"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/media?parent=160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/categories?post=160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/sl\/wp-json\/wp\/v2\/tags?post=160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}