The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
CVE-2026-8809
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-05-29. the CNA's CVSS baseline 9.8; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 52.4%
- KEV
- Not listed
Published
May 28, 2026
Last Modified
May 29, 2026
References (6)
- linkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/bd332f49-5aa9-4207-89db-84692a6430e0?source=cve
- linkhttps://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/module-acf.php#L141
- linkhttps://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/hooks.php#L636
- linkhttps://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-action-user.php#L715
- linkhttps://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-front.php#L94
- linkhttps://plugins.trac.wordpress.org/changeset/3551665/acf-extended
Vendor Advisories for CVE-2026-8809(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 17× in last 7d / 132× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 327 total refreshes for this CVE.
- 2026-07-16 10:14 UTCEG score recompute
- 2026-07-16 10:14 UTCGHSA enrichment
- 2026-07-16 02:25 UTCEG score recompute
- 2026-07-16 02:25 UTCGHSA enrichment
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-14 17:35 UTCEG score recompute
- 2026-07-14 17:35 UTCGHSA enrichment
- 2026-07-13 22:31 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 22:56 UTCEG score recompute
- 2026-07-11 22:56 UTCGHSA enrichment
- 2026-07-11 18:33 UTCEG score recompute
- 2026-07-11 18:33 UTCGHSA enrichment
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 22:45 UTCEG score recompute
- 2026-07-08 22:45 UTCGHSA enrichment
- 2026-07-08 17:35 UTCEG score recompute
- 2026-07-08 17:35 UTCGHSA enrichment
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-02 21:40 UTCEG score recompute
- 2026-07-02 21:40 UTCGHSA enrichment
- 2026-07-02 14:09 UTCEG score recompute
- 2026-07-02 14:09 UTCGHSA enrichment
- 2026-07-02 09:38 UTCEG score recompute
- 2026-07-02 09:38 UTCGHSA enrichment
- 2026-07-02 05:03 UTCEG score recompute
- 2026-07-02 05:03 UTCGHSA enrichment
- 2026-07-01 18:58 UTCEG score recompute
- 2026-07-01 18:58 UTCGHSA enrichment
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 13:27 UTCEG score recompute
- 2026-07-01 13:27 UTCGHSA enrichment
- 2026-07-01 08:54 UTCEG score recompute
- 2026-07-01 08:54 UTCGHSA enrichment
- 2026-07-01 01:54 UTCEG score recompute
- 2026-07-01 01:54 UTCGHSA enrichment
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 05:44 UTCEG score recompute
- 2026-06-30 05:44 UTCGHSA enrichment
- 2026-06-30 01:16 UTCEG score recompute
- 2026-06-30 01:16 UTCGHSA enrichment
- 2026-06-29 19:36 UTCEG score recompute
- 2026-06-29 19:36 UTCGHSA enrichment
- 2026-06-29 13:24 UTCEG score recompute
- 2026-06-29 13:24 UTCGHSA enrichment
- 2026-06-29 00:58 UTCEG score recompute
- 2026-06-29 00:58 UTCGHSA enrichment
- 2026-06-28 20:39 UTCEG score recompute
- 2026-06-28 20:39 UTCGHSA enrichment
- 2026-06-28 16:20 UTCEG score recompute
- 2026-06-28 16:20 UTCGHSA enrichment
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 12:01 UTCEG score recompute
- 2026-06-28 12:01 UTCGHSA enrichment
- 2026-06-28 07:41 UTCEG score recompute
- 2026-06-28 07:41 UTCGHSA enrichment
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 03:22 UTCEG score recompute
- 2026-06-28 03:22 UTCGHSA enrichment
- 2026-06-27 23:03 UTCEG score recompute
- 2026-06-27 23:03 UTCGHSA enrichment
- 2026-06-27 18:43 UTCEG score recompute
- 2026-06-27 18:43 UTCGHSA enrichment
- 2026-06-27 14:24 UTCEG score recompute
- 2026-06-27 14:24 UTCGHSA enrichment
- 2026-06-27 10:06 UTCEG score recompute
- 2026-06-27 10:06 UTCGHSA enrichment
- 2026-06-27 05:47 UTCEG score recompute
- 2026-06-27 05:46 UTCGHSA enrichment
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-27 01:28 UTCEG score recompute
- 2026-06-27 01:28 UTCGHSA enrichment
- 2026-06-26 20:43 UTCEG score recompute
- 2026-06-26 20:43 UTCGHSA enrichment
- 2026-06-26 16:25 UTCEG score recompute
- 2026-06-26 16:25 UTCGHSA enrichment
- 2026-06-26 01:54 UTCEG score recompute
- 2026-06-26 01:54 UTCGHSA enrichment
- 2026-06-25 20:30 UTCEG score recompute
- 2026-06-25 20:30 UTCGHSA enrichment
- 2026-06-25 16:11 UTCEG score recompute
- 2026-06-25 16:11 UTCGHSA enrichment
- 2026-06-25 13:50 UTCEPSS rescore
- 2026-06-25 11:51 UTCEG score recompute
- 2026-06-25 11:51 UTCGHSA enrichment
- 2026-06-25 07:32 UTCEG score recompute
- 2026-06-25 07:32 UTCGHSA enrichment
- 2026-06-25 03:14 UTCEG score recompute
Related CVEs(same CWE)
Same CWE
10 shownCWE-269
Frequently asked(5)
What is CVE-2026-8809?
When was CVE-2026-8809 disclosed?
Is CVE-2026-8809 actively exploited?
What is the CVSS score of CVE-2026-8809?
How do I remediate CVE-2026-8809?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-8809
Is Your Infrastructure Affected by CVE-2026-8809?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.