How to fix CVE-2025-13486?

Within 24 hours: Identify all WordPress instances running Advanced Custom Fields: Extended versions 0.9.0.5-0.9.1.1 and disable or deactivate the plugin immediately. Within 7 days: Implement Web Application Firewall rules to block malicious requests to the prepare_form() function, conduct forensic analysis for signs of compromise, and audit user accounts for unauthorized administrative additions. Within 30 days: Migrate to a patched version or alternative plugin once available, perform full security assessment of affected systems, and reset all credentials for administrative accounts.

Is PHP affected by CVE-2025-13486?

A critical remote code execution vulnerability in the Advanced Custom Fields: Extended WordPress plugin allows unauthenticated attackers to execute arbitrary code and gain administrative control of affected websites.

CVE-2025-13486

EUVD-2025-200730 CRITICAL

2025-12-03 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200730

CVE Published

Dec 03, 2025 - 07:16 nvd

CRITICAL 9.8

Description

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

Analysis

Technical Context

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Code Injection (CWE-94).

Remediation

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

Priority Score

124

Low Medium High Critical

KEV: 0

EPSS: +75.3

CVSS: +49

POC: 0

CVE-2025-13486 vulnerability details – vuln.today

Back

CVE-2025-13486

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

CVE-2025-13486

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

External POC / Exploit Code