Critical WordPress RCE in Advanced Custom Fields: Extended — why organisations must act now

Critical WordPress plugin flaw (CVE-2025-13486): one-click remote root for attackers — has your site handed them the keys?

What we know

The Advanced Custom Fields: Extended WordPress plugin has been disclosed as containing a critical unauthenticated remote code execution vulnerability (CVE-2025-13486). The flaw affects versions 0.9.0.5 through 0.9.1.1 and stems from the prepare_form() function accepting user input and passing it via call_user_func_array(). In short: an unauthenticated attacker can execute arbitrary code on a vulnerable site’s server, which can be leveraged to install backdoors or create new administrative accounts. The issue is rated 9.8 (CRITICAL).

Who is impacted — and why businesses should care

Any organisation running WordPress sites that include this plugin is at risk. That covers obvious targets such as marketing sites, customer portals and blogs — but also less obvious assets that use WordPress as a management front-end or for integrations. A compromised WordPress instance is rarely a “mere defacement”. Attackers use RCEs to persist (web shells, cron jobs), escalate privileges, harvest credentials, pivot into internal networks and drop ransomware or data-exfiltration tools.

For regulated businesses, the consequences go beyond IT drama: data breaches trigger notification obligations, potential fines under data protection laws, and reputational damage that hits revenue and customer trust. Even small sites can become a beachhead for larger campaigns against supply chains and partners.

What can happen if this is ignored

Leaving a critical unauthenticated RCE unaddressed is like leaving the engine running with the keys in the ignition and the garage door open. Consequences can include:

• Silent backdoors leading to long-term data exfiltration;
• Creation of rogue administrator accounts allowing persistent site control;
• Pivoting to internal systems and lateral movement to more valuable assets;
• Website defacement, service disruption and loss of customer trust;
• Ransomware deployment or use of the site to host/phish/mine for profit.

Immediate actions every organisation should take now

If you host WordPress sites, treat this as urgent. Practical first steps that reduce immediate risk:

• Identify and inventory: locate any WordPress installations and confirm whether the Advanced Custom Fields: Extended plugin (versions 0.9.0.5–0.9.1.1) is present;
• Isolate and mitigate: if a vulnerable instance is found and you cannot patch immediately, deactivate or remove the plugin and restrict access (WAF rules, IP restrictions);
• Patch and verify: apply the vendor-supplied fix as soon as it’s available and verify the update on a staging environment before rolling out to production;
• Hunt for signs of compromise: review webserver logs, file integrity, user accounts (look for unexpected admin users) and scheduled tasks for indicators of web shells or persistence mechanisms;
• Rotate secrets and credentials: reset admin passwords and any API keys or database credentials that may have been used by the site;
• Restore from trusted backups if compromise is confirmed, and run a post-incident forensic review before reconnecting to networks.

How this ties to ISO 27001 and business continuity (yes, it’s all connected)

An exploitable RCE in a widely used plugin highlights gaps that ISO 27001 is designed to close. The incident touches core information security requirements: asset management (knowing what software you run), vulnerability management and patching, access control, logging and monitoring, and incident response. Organisations that maintain an ISO 27001-aligned Information Security Management System are better placed to identify these assets, prioritise remediation and demonstrate due diligence to regulators and customers. Learn more about aligning your security programme to ISO 27001 here: https://synergosconsultancy.co.uk/iso27001/.

Equally, a compromised website can disrupt services and damage the ability to operate. ISO 22301 (business continuity) guidance helps teams plan for rapid recovery — from isolating affected services to switching to alternate communications channels — reducing downtime and financial impact: https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/.

Controls and practices you should prioritise

Practical controls mapped to recognised good practice include:

• Comprehensive asset inventory and dependency mapping (so WordPress plugins are not “unknown liabilities”);
• Formal vulnerability management and rapid patching processes (with emergency patch windows for critical CVEs);
• Least privilege for web application processes and separating web-facing services from sensitive networks;
• Application-layer protections such as a WAF, runtime protection and content integrity monitoring;
• Regular backups stored offsite and tested recovery processes aligned to ISO 22301;
• Security-aware CI/CD and secure-development practices to reduce the chance of introducing similar flaws.

Where specialist help can speed your recovery and harden your defences

If your organisation lacks the in-house capacity to perform rapid forensic checks, rebuild compromised instances safely and formalise controls, external support can be the difference between a brief outage and a long-running incident. Synergos Consultancy’s ISO-aligned approach (and related services such as Cyber Essentials and security awareness training) can help you close the gaps: https://synergosconsultancy.co.uk/iasme-certifications/ and https://synergosconsultancy.co.uk/usecure. These services are not magic; they are sensible governance and practical controls applied consistently.

Make this incident a catalyst, not a catastrophe

RCEs in popular web components are not theoretical — they are recurring and well-understood. The tangible steps above are straightforward but require discipline: know your assets, patch with urgency, assume compromise and prepare recovery plans underpinned by ISO 27001 and ISO 22301 practices. Put simply, good governance and rapid operational capability turn catastrophic headlines into manageable incidents.

Take five minutes now to scan your WordPress estates for the Advanced Custom Fields: Extended plugin. If you find it, act. If you don’t know where your WordPress sites are, that’s exactly the kind of problem ISO 27001 and Synergos-style advisory work are built to fix.