By rssfeeds-admin 
They identified the flaw and reported it responsibly through Wordfence’s Bug Bounty Program, earning a $975 bounty for the discovery.
The vulnerability resides in the plugin’s insert_user() function within the acfe_module_form_action_user class. The vulnerable code fails to validate user role restrictions when processing form submissions.
When administrators configure a “Create user” or “Update user” form action with a role field, the plugin does not enforce the field-level role restrictions defined in the field group settings.
This permits attackers to arbitrarily set the user role to “administrator” during registration, bypassing all access controls.
Technical Mechanism
The vulnerability occurs when the plugin constructs user-registration arguments without validating permitted roles.
The code iterates through submitted form data and passes values directly to WordPress’s wp_insert_user() function without checking against configured restrictions.
An attacker can inject an “administrator” role parameter into the form submission, and the plugin processes it without validation.
The flaw only impacts sites with a role field explicitly added to user creation forms. This configuration is likely uncommon but present on vulnerable installations.
Complete site compromise follows successful exploitation. Once attackers achieve administrative access, they can upload malicious plugins containing backdoors, modify content to inject spam or redirect users, and maintain persistent access.
Wordfence Premium, Care, and Response users received firewall protection on December 11, 2025. Free users gained protection on January 10, 2026 a 30-day delay reflecting Wordfence’s responsible disclosure window.
The vendor released patched version 0.9.2.2 on December 14, 2025, addressing the flaw. WordPress site administrators should immediately update to this version to mitigate risk.
| Detail | Value |
|---|---|
| CVE ID | CVE-2025-14533 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | ≤ 0.9.2.1 |
| Patched Version | 0.9.2.2 |
| Researcher | Andrea Bocchetti |
| Bounty Awarded | $975.00 |
| Discovery Date | December 10, 2025 |
| Patch Release | December 14, 2025 |
The rapid patch deployment and coordinated disclosure demonstrate effective vulnerability management. Site owners using this plugin should verify updates immediately, given the critical severity and unauthenticated attack vector.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post WordPress Plugin Vulnerability Exposes Over 100,000 Sites to Privilege Escalation Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.